WSF Downloads Payload that Sets-up a Server to Accept Incoming Connections | Grouped Behavior
Try VMRay Analyzer
Monitored Processes
Behavior Information - Grouped by Category
Process #1: cscript.exe
(Host: 693, Network: 18)
+
Information Value
ID #1
File Name c:\windows\system32\cscript.exe
Command Line "C:\Windows\System32\CScript.exe" "C:\Users\CIIHMN~1\Desktop\2999BA~1.WSF"
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:00:20, Reason: Analysis Target
Unmonitor End Time: 00:02:20, Reason: Terminated by Timeout
Monitor Duration 00:02:00
OS Process Information
+
Information Value
PID 0xf80
Parent PID 0x728 (c:\windows\explorer.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username LHNIWSJ\CIiHmnxMn6Ps
Groups
  • LHNIWSJ\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Local account and member of Administrators group (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • BUILTIN\Administrators (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, OWNER)
  • BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Local account (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Logon Session 00000000:00013d92 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID)
  • LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x F84
0x FF0
0x FF4
0x FF8
0x FFC
0x C5C
0x C20
0x C18
0x C6C
0x C78
0x C74
0x 650
0x C90
Region
+
Name Start VA End VA Type Permissions Monitored Dump YARA Match Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True True False
private_0x0000009c3c600000 0x9c3c600000 0x9c3c61ffff Private Memory Readable, Writable True True False
pagefile_0x0000009c3c600000 0x9c3c600000 0x9c3c60ffff Pagefile Backed Memory Readable, Writable True False False
private_0x0000009c3c610000 0x9c3c610000 0x9c3c616fff Private Memory Readable, Writable True True False
pagefile_0x0000009c3c620000 0x9c3c620000 0x9c3c633fff Pagefile Backed Memory Readable True False False
private_0x0000009c3c640000 0x9c3c640000 0x9c3c73ffff Private Memory Readable, Writable True True False
pagefile_0x0000009c3c740000 0x9c3c740000 0x9c3c743fff Pagefile Backed Memory Readable True False False
pagefile_0x0000009c3c750000 0x9c3c750000 0x9c3c750fff Pagefile Backed Memory Readable True False False
private_0x0000009c3c760000 0x9c3c760000 0x9c3c761fff Private Memory Readable, Writable True True False
private_0x0000009c3c770000 0x9c3c770000 0x9c3c776fff Private Memory Readable, Writable True True False
cscript.exe.mui 0x9c3c780000 0x9c3c782fff Memory Mapped File Readable False False False
private_0x0000009c3c790000 0x9c3c790000 0x9c3c790fff Private Memory Readable, Writable True True False
private_0x0000009c3c7a0000 0x9c3c7a0000 0x9c3c7a0fff Private Memory Readable, Writable True True False
private_0x0000009c3c7b0000 0x9c3c7b0000 0x9c3c8affff Private Memory Readable, Writable True True False
locale.nls 0x9c3c8b0000 0x9c3c96dfff Memory Mapped File Readable False False False
private_0x0000009c3c970000 0x9c3c970000 0x9c3ca6ffff Private Memory Readable, Writable True True False
private_0x0000009c3ca70000 0x9c3ca70000 0x9c3cb1ffff Private Memory Readable, Writable True True False
cscript.exe 0x9c3ca70000 0x9c3ca78fff Memory Mapped File Readable True False False
pagefile_0x0000009c3ca80000 0x9c3ca80000 0x9c3ca80fff Pagefile Backed Memory Readable True False False
pagefile_0x0000009c3ca80000 0x9c3ca80000 0x9c3ca83fff Pagefile Backed Memory Readable True False False
pagefile_0x0000009c3ca90000 0x9c3ca90000 0x9c3ca90fff Pagefile Backed Memory Readable True False False
pagefile_0x0000009c3caa0000 0x9c3caa0000 0x9c3caa0fff Pagefile Backed Memory Readable True False False
pagefile_0x0000009c3cab0000 0x9c3cab0000 0x9c3cac7fff Pagefile Backed Memory Readable True False False
private_0x0000009c3cab0000 0x9c3cab0000 0x9c3cabffff Private Memory Readable, Writable True True False
msmplics.dll 0x9c3cac0000 0x9c3cac1fff Memory Mapped File Readable False False False
tzres.dll 0x9c3cac0000 0x9c3cac2fff Memory Mapped File Readable False False False
msxml3r.dll 0x9c3cac0000 0x9c3cac0fff Memory Mapped File Readable False False False
pagefile_0x0000009c3cad0000 0x9c3cad0000 0x9c3cae7fff Pagefile Backed Memory Readable True False False
private_0x0000009c3cad0000 0x9c3cad0000 0x9c3cad6fff Private Memory Readable, Writable True True False
wshom.ocx 0x9c3cae0000 0x9c3caf2fff Memory Mapped File Readable True False False
tzres.dll.mui 0x9c3cb00000 0x9c3cb08fff Memory Mapped File Readable False False False
pagefile_0x0000009c3cb00000 0x9c3cb00000 0x9c3cb00fff Pagefile Backed Memory Readable, Writable True False False
private_0x0000009c3cb10000 0x9c3cb10000 0x9c3cb1ffff Private Memory Readable, Writable True True False
private_0x0000009c3cb20000 0x9c3cb20000 0x9c3cb2ffff Private Memory Readable, Writable True True False
pagefile_0x0000009c3cb30000 0x9c3cb30000 0x9c3ccb7fff Pagefile Backed Memory Readable True False False
pagefile_0x0000009c3ccc0000 0x9c3ccc0000 0x9c3ce40fff Pagefile Backed Memory Readable True False False
pagefile_0x0000009c3ce50000 0x9c3ce50000 0x9c3e24ffff Pagefile Backed Memory Readable True False False
rpcss.dll 0x9c3e250000 0x9c3e325fff Memory Mapped File Readable False False False
sortdefault.nls 0x9c3e250000 0x9c3e586fff Memory Mapped File Readable False False False
private_0x0000009c3e590000 0x9c3e590000 0x9c3e68ffff Private Memory Readable, Writable True True False
pagefile_0x0000009c3e690000 0x9c3e690000 0x9c3e747fff Pagefile Backed Memory Readable True False False
private_0x0000009c3e750000 0x9c3e750000 0x9c3e84ffff Private Memory Readable, Writable True True False
private_0x0000009c3e850000 0x9c3e850000 0x9c3e94ffff Private Memory Readable, Writable True True False
pagefile_0x0000009c3e950000 0x9c3e950000 0x9c3f94ffff Pagefile Backed Memory Readable, Writable True False False
private_0x0000009c3e950000 0x9c3e950000 0x9c3ea4ffff Private Memory Readable, Writable True True False
private_0x0000009c3ea50000 0x9c3ea50000 0x9c3eb5ffff Private Memory Readable, Writable True True False
private_0x0000009c3ea50000 0x9c3ea50000 0x9c3eb4ffff Private Memory Readable, Writable True True False
private_0x0000009c3eb50000 0x9c3eb50000 0x9c3eb5ffff Private Memory Readable, Writable True True False
private_0x0000009c3eb60000 0x9c3eb60000 0x9c3ed5ffff Private Memory Readable, Writable True True False
private_0x0000009c3ed60000 0x9c3ed60000 0x9c3ee5ffff Private Memory Readable, Writable True True False
private_0x0000009c3ee60000 0x9c3ee60000 0x9c3ef5ffff Private Memory Readable, Writable True True False
private_0x0000009c3ef60000 0x9c3ef60000 0x9c3f05ffff Private Memory Readable, Writable True True False
private_0x0000009c3f060000 0x9c3f060000 0x9c3f45ffff Private Memory Readable, Writable True True False
private_0x0000009c3f460000 0x9c3f460000 0x9c3f4affff Private Memory Readable, Writable True True False
counters.dat 0x9c3f460000 0x9c3f460fff Memory Mapped File Readable, Writable True True False
pagefile_0x0000009c3f470000 0x9c3f470000 0x9c3f470fff Pagefile Backed Memory Readable, Writable True False False
pagefile_0x0000009c3f480000 0x9c3f480000 0x9c3f481fff Pagefile Backed Memory Readable, Writable True False False
pagefile_0x0000009c3f480000 0x9c3f480000 0x9c3f48ffff Pagefile Backed Memory Readable True False False
pagefile_0x0000009c3f490000 0x9c3f490000 0x9c3f491fff Pagefile Backed Memory Readable True False False
private_0x0000009c3f4a0000 0x9c3f4a0000 0x9c3f4affff Private Memory Readable, Writable True True False
private_0x0000009c3f4b0000 0x9c3f4b0000 0x9c3f50ffff Private Memory Readable, Writable True True False
mswsock.dll.mui 0x9c3f4b0000 0x9c3f4b2fff Memory Mapped File Readable False False False
private_0x0000009c3f4d0000 0x9c3f4d0000 0x9c3f4d0fff Private Memory Readable, Writable True True False
private_0x0000009c3f500000 0x9c3f500000 0x9c3f50ffff Private Memory Readable, Writable True True False
private_0x0000009c3f5b0000 0x9c3f5b0000 0x9c3f7affff Private Memory Readable, Writable True True False
private_0x0000009c3f7b0000 0x9c3f7b0000 0x9c3ffaffff Private Memory Readable, Writable True True False
private_0x0000009c3ffb0000 0x9c3ffb0000 0x9c403affff Private Memory Readable, Writable True True False
private_0x0000009c403b0000 0x9c403b0000 0x9c404effff Private Memory Readable, Writable True True False
kernelbase.dll.mui 0x9c403b0000 0x9c4048efff Memory Mapped File Readable False False False
private_0x0000009c404e0000 0x9c404e0000 0x9c404effff Private Memory Readable, Writable True True False
private_0x0000009c404f0000 0x9c404f0000 0x9c406cffff Private Memory Readable, Writable True True False
private_0x0000009c404f0000 0x9c404f0000 0x9c405effff Private Memory Readable, Writable True True False
private_0x0000009c404f0000 0x9c404f0000 0x9c405effff Private Memory Readable, Writable True True False
private_0x0000009c406c0000 0x9c406c0000 0x9c406cffff Private Memory Readable, Writable True True False
private_0x0000009c406d0000 0x9c406d0000 0x9c408bffff Private Memory Readable, Writable True True False
private_0x0000009c406d0000 0x9c406d0000 0x9c407cffff Private Memory Readable, Writable True True False
private_0x0000009c408b0000 0x9c408b0000 0x9c408bffff Private Memory Readable, Writable True True False
private_0x0000009c408c0000 0x9c408c0000 0x9c40cbffff Private Memory Readable, Writable True True False
private_0x0000009c40cc0000 0x9c40cc0000 0x9c40dbffff Private Memory Readable, Writable True True False
private_0x0000009c40dc0000 0x9c40dc0000 0x9c40ebffff Private Memory Readable, Writable True True False
private_0x0000009c40dc0000 0x9c40dc0000 0x9c40ebffff Private Memory Readable, Writable True True False
pagefile_0x00007df5ffb70000 0x7df5ffb70000 0x7ff5ffb6ffff Pagefile Backed Memory - True False False
private_0x00007ff7cb562000 0x7ff7cb562000 0x7ff7cb563fff Private Memory Readable, Writable True True False
private_0x00007ff7cb564000 0x7ff7cb564000 0x7ff7cb565fff Private Memory Readable, Writable True True False
private_0x00007ff7cb566000 0x7ff7cb566000 0x7ff7cb567fff Private Memory Readable, Writable True True False
private_0x00007ff7cb568000 0x7ff7cb568000 0x7ff7cb569fff Private Memory Readable, Writable True True False
private_0x00007ff7cb568000 0x7ff7cb568000 0x7ff7cb569fff Private Memory Readable, Writable True True False
private_0x00007ff7cb56a000 0x7ff7cb56a000 0x7ff7cb56bfff Private Memory Readable, Writable True True False
private_0x00007ff7cb56c000 0x7ff7cb56c000 0x7ff7cb56dfff Private Memory Readable, Writable True True False
private_0x00007ff7cb56e000 0x7ff7cb56e000 0x7ff7cb56ffff Private Memory Readable, Writable True True False
pagefile_0x00007ff7cb570000 0x7ff7cb570000 0x7ff7cb66ffff Pagefile Backed Memory Readable True False False
pagefile_0x00007ff7cb670000 0x7ff7cb670000 0x7ff7cb692fff Pagefile Backed Memory Readable True False False
private_0x00007ff7cb694000 0x7ff7cb694000 0x7ff7cb695fff Private Memory Readable, Writable True True False
private_0x00007ff7cb696000 0x7ff7cb696000 0x7ff7cb697fff Private Memory Readable, Writable True True False
private_0x00007ff7cb698000 0x7ff7cb698000 0x7ff7cb699fff Private Memory Readable, Writable True True False
private_0x00007ff7cb69a000 0x7ff7cb69a000 0x7ff7cb69bfff Private Memory Readable, Writable True True False
private_0x00007ff7cb69c000 0x7ff7cb69c000 0x7ff7cb69dfff Private Memory Readable, Writable True True False
private_0x00007ff7cb69e000 0x7ff7cb69e000 0x7ff7cb69efff Private Memory Readable, Writable True True False
cscript.exe 0x7ff7cbfd0000 0x7ff7cbffefff Memory Mapped File Readable, Writable, Executable True False False
msxml3.dll 0x7ffb239c0000 0x7ffb23bf6fff Memory Mapped File Readable, Writable, Executable False False False
mpclient.dll 0x7ffb23c00000 0x7ffb23cd9fff Memory Mapped File Readable, Writable, Executable False False False
jscript.dll 0x7ffb23ce0000 0x7ffb23dadfff Memory Mapped File Readable, Writable, Executable True False False
comctl32.dll 0x7ffb240b0000 0x7ffb24159fff Memory Mapped File Readable, Writable, Executable False False False
scrobj.dll 0x7ffb24160000 0x7ffb241a3fff Memory Mapped File Readable, Writable, Executable True False False
scrrun.dll 0x7ffb242b0000 0x7ffb242e4fff Memory Mapped File Readable, Writable, Executable False False False
wshom.ocx 0x7ffb25120000 0x7ffb25148fff Memory Mapped File Readable, Writable, Executable True False False
mpoav.dll 0x7ffb25dc0000 0x7ffb25ddcfff Memory Mapped File Readable, Writable, Executable False False False
wshext.dll 0x7ffb25f10000 0x7ffb25f2cfff Memory Mapped File Readable, Writable, Executable True False False
mlang.dll 0x7ffb26110000 0x7ffb2614cfff Memory Mapped File Readable, Writable, Executable False False False
wldp.dll 0x7ffb2bea0000 0x7ffb2beaffff Memory Mapped File Readable, Writable, Executable False False False
amsi.dll 0x7ffb2d270000 0x7ffb2d27ffff Memory Mapped File Readable, Writable, Executable False False False
wininet.dll 0x7ffb2e5a0000 0x7ffb2e846fff Memory Mapped File Readable, Writable, Executable False False False
urlmon.dll 0x7ffb2ea50000 0x7ffb2ebe6fff Memory Mapped File Readable, Writable, Executable False False False
ondemandconnroutehelper.dll 0x7ffb2ec80000 0x7ffb2ec94fff Memory Mapped File Readable, Writable, Executable False False False
rasadhlp.dll 0x7ffb308c0000 0x7ffb308c9fff Memory Mapped File Readable, Writable, Executable False False False
msisip.dll 0x7ffb30c90000 0x7ffb30c9bfff Memory Mapped File Readable, Writable, Executable False False False
version.dll 0x7ffb318d0000 0x7ffb318d9fff Memory Mapped File Readable, Writable, Executable False False False
iertutil.dll 0x7ffb31aa0000 0x7ffb31e15fff Memory Mapped File Readable, Writable, Executable False False False
winhttp.dll 0x7ffb333f0000 0x7ffb334c5fff Memory Mapped File Readable, Writable, Executable False False False
comctl32.dll 0x7ffb34cc0000 0x7ffb34f33fff Memory Mapped File Readable, Writable, Executable False False False
fwpuclnt.dll 0x7ffb361e0000 0x7ffb36247fff Memory Mapped File Readable, Writable, Executable False False False
winnsi.dll 0x7ffb373f0000 0x7ffb373fafff Memory Mapped File Readable, Writable, Executable False False False
iphlpapi.dll 0x7ffb37410000 0x7ffb37447fff Memory Mapped File Readable, Writable, Executable False False False
dwmapi.dll 0x7ffb37f40000 0x7ffb37f61fff Memory Mapped File Readable, Writable, Executable False False False
uxtheme.dll 0x7ffb38610000 0x7ffb386a5fff Memory Mapped File Readable, Writable, Executable False False False
gpapi.dll 0x7ffb38c60000 0x7ffb38c82fff Memory Mapped File Readable, Writable, Executable False False False
mpr.dll 0x7ffb38f70000 0x7ffb38f8bfff Memory Mapped File Readable, Writable, Executable False False False
rsaenh.dll 0x7ffb39260000 0x7ffb39292fff Memory Mapped File Readable, Writable, Executable False False False
userenv.dll 0x7ffb39350000 0x7ffb3936efff Memory Mapped File Readable, Writable, Executable False False False
dnsapi.dll 0x7ffb393b0000 0x7ffb39457fff Memory Mapped File Readable, Writable, Executable False False False
mswsock.dll 0x7ffb395b0000 0x7ffb3960cfff Memory Mapped File Readable, Writable, Executable False False False
cryptsp.dll 0x7ffb39610000 0x7ffb39626fff Memory Mapped File Readable, Writable, Executable False False False
cryptbase.dll 0x7ffb39780000 0x7ffb3978afff Memory Mapped File Readable, Writable, Executable False False False
sspicli.dll 0x7ffb39960000 0x7ffb3998bfff Memory Mapped File Readable, Writable, Executable False False False
bcrypt.dll 0x7ffb39b60000 0x7ffb39b87fff Memory Mapped File Readable, Writable, Executable False False False
bcryptprimitives.dll 0x7ffb39b90000 0x7ffb39bfafff Memory Mapped File Readable, Writable, Executable False False False
sxs.dll 0x7ffb39c00000 0x7ffb39c97fff Memory Mapped File Readable, Writable, Executable False False False
msasn1.dll 0x7ffb39d40000 0x7ffb39d50fff Memory Mapped File Readable, Writable, Executable False False False
kernel.appcore.dll 0x7ffb39d60000 0x7ffb39d6efff Memory Mapped File Readable, Writable, Executable False False False
profapi.dll 0x7ffb39d70000 0x7ffb39d82fff Memory Mapped File Readable, Writable, Executable False False False
powrprof.dll 0x7ffb39d90000 0x7ffb39dd9fff Memory Mapped File Readable, Writable, Executable False False False
windows.storage.dll 0x7ffb39de0000 0x7ffb3a407fff Memory Mapped File Readable, Writable, Executable False False False
wintrust.dll 0x7ffb3a460000 0x7ffb3a4b3fff Memory Mapped File Readable, Writable, Executable False False False
shcore.dll 0x7ffb3a570000 0x7ffb3a622fff Memory Mapped File Readable, Writable, Executable False False False
crypt32.dll 0x7ffb3a630000 0x7ffb3a7f0fff Memory Mapped File Readable, Writable, Executable False False False
kernelbase.dll 0x7ffb3a800000 0x7ffb3a9dcfff Memory Mapped File Readable, Writable, Executable False False False
nsi.dll 0x7ffb3a9e0000 0x7ffb3a9e7fff Memory Mapped File Readable, Writable, Executable False False False
shlwapi.dll 0x7ffb3a9f0000 0x7ffb3aa40fff Memory Mapped File Readable, Writable, Executable False False False
shell32.dll 0x7ffb3aa50000 0x7ffb3bf74fff Memory Mapped File Readable, Writable, Executable False False False
rpcrt4.dll 0x7ffb3bf80000 0x7ffb3c0a5fff Memory Mapped File Readable, Writable, Executable False False False
imm32.dll 0x7ffb3c290000 0x7ffb3c2c5fff Memory Mapped File Readable, Writable, Executable False False False
advapi32.dll 0x7ffb3c2d0000 0x7ffb3c375fff Memory Mapped File Readable, Writable, Executable False False False
gdi32.dll 0x7ffb3c3e0000 0x7ffb3c564fff Memory Mapped File Readable, Writable, Executable False False False
ws2_32.dll 0x7ffb3c570000 0x7ffb3c5d8fff Memory Mapped File Readable, Writable, Executable False False False
coml2.dll 0x7ffb3c5e0000 0x7ffb3c64efff Memory Mapped File Readable, Writable, Executable False False False
user32.dll 0x7ffb3c650000 0x7ffb3c79dfff Memory Mapped File Readable, Writable, Executable False False False
sechost.dll 0x7ffb3c950000 0x7ffb3c9aafff Memory Mapped File Readable, Writable, Executable False False False
oleaut32.dll 0x7ffb3c9b0000 0x7ffb3ca6dfff Memory Mapped File Readable, Writable, Executable False False False
clbcatq.dll 0x7ffb3ca70000 0x7ffb3cb14fff Memory Mapped File Readable, Writable, Executable False False False
ole32.dll 0x7ffb3cb20000 0x7ffb3cc60fff Memory Mapped File Readable, Writable, Executable False False False
combase.dll 0x7ffb3cc70000 0x7ffb3ceebfff Memory Mapped File Readable, Writable, Executable False False False
msvcrt.dll 0x7ffb3cf10000 0x7ffb3cfacfff Memory Mapped File Readable, Writable, Executable False False False
msctf.dll 0x7ffb3d020000 0x7ffb3d17bfff Memory Mapped File Readable, Writable, Executable False False False
kernel32.dll 0x7ffb3d260000 0x7ffb3d30cfff Memory Mapped File Readable, Writable, Executable False False False
ntdll.dll 0x7ffb3d310000 0x7ffb3d4d1fff Memory Mapped File Readable, Writable, Executable False False False
For performance reasons, the remaining 28 entries are omitted.
The remaining entries can be found in flog.txt.
Created Files
+
Filename File Size Hash Values YARA Match Actions
c:\users\ciihmn~1\appdata\local\temp\84526935.scr 479.00 KB (490496 bytes) MD5: f549977bce0051085abbe8d7728be589
SHA1: 33e0317a4da4cc10737f5ff54f010315a3b71867
SHA256: 21610f6f3397058086f90d9e0f74ba524aeb69d788efca24f344327460532a58
False
Host Behavior
COM (21)
+
Operation Class Interface Additional Information Success Count Logfile
Create 06290BD6-48AA-11D2-8432-006008C3FBFC 06290BEA-48AA-11D2-8432-006008C3FBFC cls_context = CLSCTX_INPROC_SERVER False 1
Fn
Create 06290BD0-48AA-11D2-8432-006008C3FBFC 06290BEA-48AA-11D2-8432-006008C3FBFC cls_context = CLSCTX_INPROC_SERVER True 1
Fn
Create 06290BD1-48AA-11D2-8432-006008C3FBFC 342D1EA0-AE25-11D1-89C5-006008C3FBFC cls_context = CLSCTX_INPROC_SERVER True 1
Fn
Create 06290BD1-48AA-11D2-8432-006008C3FBFC E4D1C9B0-46E8-11D4-A2A6-00104BD35090 cls_context = CLSCTX_INPROC_SERVER True 1
Fn
Create F414C260-6AC0-11CF-B6D1-00AA00BBBB58 00000001-0000-0000-C000-000000000046 cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER True 1
Fn
Create 00000323-0000-0000-C000-000000000046 00000146-0000-0000-C000-000000000046 cls_context = CLSCTX_INPROC_SERVER True 1
Fn
Create 6C736DB1-BD94-11D0-8A23-00AA00B58E10 6C736DC1-AB0D-11D0-A2AD-00A0C90F27E8 cls_context = CLSCTX_INPROC_SERVER True 2
Fn
Create WScript.Shell IClassFactory cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER True 4
Fn
Create MSXML2.XMLHTTP IClassFactory cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER True 4
Fn
Create ADODB.Stream IClassFactory cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER True 1
Fn
Execute MSXML2.XMLHTTP IDispatch method_name = Open True 1
Fn
Execute MSXML2.XMLHTTP IDispatch method_name = Open True 1
Fn
Execute MSXML2.XMLHTTP IDispatch method_name = Open True 1
Fn
Execute MSXML2.XMLHTTP IDispatch method_name = Open True 1
Fn
File (8)
+
Operation Filename Additional Information Success Count Logfile
Create C:\Users\CIIHMN~1\Desktop\2999BA~1.WSF desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\84526935.scr - True 1
Fn
Get Info C:\Users\CIIHMN~1\Desktop\2999BA~1.WSF type = size True 1
Fn
Get Info C:\Users\CIIHMN~1\Desktop\2999BA~1.WSF type = size True 1
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Read C:\Users\CIIHMN~1\Desktop\2999BA~1.WSF size = 97272, size_out = 97272 True 1
Fn
Data
Write STD_OUTPUT_HANDLE size = 110 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\84526935.scr size = 490496 True 1
Fn
Data
Registry (23)
+
Operation Key Additional Information Success Count Logfile
Create Key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings - True 1
Fn
Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings - False 3
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings - True 3
Fn
Open Key HKEY_CLASSES_ROOT\.WSF - True 1
Fn
Open Key HKEY_CLASSES_ROOT\WSFFile\ScriptEngine - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script\Features - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\COM3 - True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings value_name = Enabled, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings value_name = LogSecuritySuccesses, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings value_name = IgnoreUserSettings, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings value_name = TrustPolicy, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings value_name = UseWINSAFER, data = 1, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings value_name = Timeout, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings value_name = DisplayLogo, data = 1, type = REG_SZ True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings value_name = Timeout, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings value_name = DisplayLogo, data = 49, type = REG_NONE False 1
Fn
Read Value HKEY_CLASSES_ROOT\.WSF data = WSFFile, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\COM3 value_name = COM+Enabled, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Process (1)
+
Operation Process Additional Information Success Count Logfile
Create C:\Users\CIIHMN~1\AppData\Local\Temp\84526935.scr show_window = SW_SHOWNORMAL True 1
Fn
Module (46)
+
Operation Module Additional Information Success Count Logfile
Load kernel32.dll base_address = 0x7ffb3d260000 True 2
Fn
Load urlmon.dll base_address = 0x7ffb2ea50000 True 1
Fn
Load C:\Windows\system32\shlwapi.dll base_address = 0x7ffb3a9f0000 True 1
Fn
Load WLDP.DLL base_address = 0x7ffb2bea0000 True 1
Fn
Load C:\Windows\system32\advapi32.dll base_address = 0x7ffb3c2d0000 True 1
Fn
Load amsi.dll base_address = 0x7ffb2d270000 True 2
Fn
Load shell32.dll base_address = 0x7ffb3aa50000 True 1
Fn
Get Handle c:\windows\system32\cscript.exe base_address = 0x7ff7cbfd0000 True 5
Fn
Get Handle c:\windows\system32\kernel32.dll base_address = 0x7ffb3d260000 True 1
Fn
Get Handle c:\windows\system32\kernelbase.dll base_address = 0x7ffb3a800000 True 1
Fn
Get Filename c:\windows\system32\cscript.exe process_name = c:\windows\system32\cscript.exe, file_name_orig = C:\Windows\System32\CScript.exe, size = 261 True 1
Fn
Get Filename - process_name = c:\windows\system32\cscript.exe, file_name_orig = C:\Windows\System32\CScript.exe, size = 260 True 1
Fn
Get Filename - process_name = c:\windows\system32\cscript.exe, file_name_orig = C:\Windows\System32\CScript.exe, size = 261 True 4
Fn
Get Address c:\windows\system32\kernel32.dll function = SetThreadUILanguage, address_out = 0x7ffb3d27d550 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = HeapSetInformation, address_out = 0x7ffb3d280f40 True 1
Fn
Get Address c:\windows\system32\urlmon.dll function = CreateURLMonikerEx, address_out = 0x7ffb2ea74fe0 True 1
Fn
Get Address c:\windows\system32\shlwapi.dll function = PathCreateFromUrlW, address_out = 0x7ffb3a9fc5e0 True 1
Fn
Get Address c:\windows\system32\wldp.dll function = WldpGetLockdownPolicy, address_out = 0x7ffb2bea1010 True 1
Fn
Get Address c:\windows\system32\wldp.dll function = WldpIsClassInApprovedList, address_out = 0x7ffb2bea3820 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = SaferIdentifyLevel, address_out = 0x7ffb3c2da7d0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = SaferComputeTokenFromLevel, address_out = 0x7ffb3c2d3ba0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = SaferCloseLevel, address_out = 0x7ffb3c2e6cc0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = QueryProtectedPolicy, address_out = 0x7ffb3a86d460 True 1
Fn
Get Address c:\windows\system32\amsi.dll function = AmsiInitialize, address_out = 0x7ffb2d272260 True 2
Fn
Get Address c:\windows\system32\amsi.dll function = AmsiScanString, address_out = 0x7ffb2d2726b0 True 2
Fn
Get Address c:\windows\system32\kernelbase.dll function = ResolveDelayLoadedAPI, address_out = 0x7ffb3a85a1b0 True 1
Fn
Get Address c:\windows\system32\kernelbase.dll function = ResolveDelayLoadsFromDll, address_out = 0x7ffb3a8be790 True 1
Fn
Get Address c:\windows\system32\cscript.exe function = 1, address_out = 0x7ff7cbfd1350 True 4
Fn
Get Address c:\windows\system32\shell32.dll function = ShellExecuteExW, address_out = 0x7ffb3ab32460 True 1
Fn
Get Address c:\windows\system32\amsi.dll function = AmsiUninitialize, address_out = 0x7ffb2d272490 True 1
Fn
Create Mapping C:\Users\CIIHMN~1\Desktop\2999BA~1.WSF filename = C:\Users\CIIHMN~1\Desktop\2999BA~1.WSF, protection = PAGE_READONLY, maximum_size = 97272 True 1
Fn
Map C:\Users\CIIHMN~1\Desktop\2999BA~1.WSF process_name = c:\windows\system32\cscript.exe, desired_access = FILE_MAP_READ True 1
Fn
Window (1)
+
Operation Window Name Additional Information Success Count Logfile
Create - class_name = WSH-Timer, wndproc_parameter = 671033220080 True 1
Fn
System (583)
+
Operation Additional Information Success Count Logfile
Sleep duration = -1 (infinite) True 2
Fn
Get Time type = Ticks, time = 107531 True 1
Fn
Get Time type = Ticks, time = 107562 True 1
Fn
Get Time type = Ticks, time = 107640 True 19
Fn
Get Time type = Ticks, time = 107656 True 4
Fn
Get Time type = Ticks, time = 108218 True 14
Fn
Get Time type = Ticks, time = 108234 True 18
Fn
Get Time type = Ticks, time = 108250 True 10
Fn
Get Time type = Ticks, time = 108265 True 17
Fn
Get Time type = Ticks, time = 108281 True 13
Fn
Get Time type = Ticks, time = 108296 True 8
Fn
Get Time type = Ticks, time = 108312 True 12
Fn
Get Time type = Ticks, time = 108328 True 10
Fn
Get Time type = Ticks, time = 108343 True 6
Fn
Get Time type = Ticks, time = 108468 True 16
Fn
Get Time type = Ticks, time = 108484 True 18
Fn
Get Time type = Ticks, time = 108500 True 13
Fn
Get Time type = Ticks, time = 108515 True 17
Fn
Get Time type = Ticks, time = 108531 True 9
Fn
Get Time type = Ticks, time = 108609 True 2
Fn
Get Time type = Ticks, time = 108625 True 4
Fn
Get Time type = Ticks, time = 108656 True 3
Fn
Get Time type = Ticks, time = 108671 True 3
Fn
Get Time type = Ticks, time = 108687 True 3
Fn
Get Time type = Ticks, time = 108703 True 3
Fn
Get Time type = Ticks, time = 108718 True 3
Fn
Get Time type = Ticks, time = 108734 True 3
Fn
Get Time type = Ticks, time = 108828 True 1
Fn
Get Time type = Ticks, time = 108843 True 2
Fn
Get Time type = Ticks, time = 108859 True 2
Fn
Get Time type = Ticks, time = 108875 True 2
Fn
Get Time type = Ticks, time = 108890 True 2
Fn
Get Time type = Ticks, time = 108906 True 1
Fn
Get Time type = Ticks, time = 108921 True 2
Fn
Get Time type = Ticks, time = 108937 True 1
Fn
Get Time type = Ticks, time = 108953 True 2
Fn
Get Time type = Ticks, time = 108968 True 3
Fn
Get Time type = Ticks, time = 108984 True 1
Fn
Get Time type = Ticks, time = 109000 True 3
Fn
Get Time type = Ticks, time = 109015 True 2
Fn
Get Time type = Ticks, time = 109031 True 1
Fn
Get Time type = Ticks, time = 109062 True 1
Fn
Get Time type = Ticks, time = 109078 True 20
Fn
Get Time type = Ticks, time = 109093 True 34
Fn
Get Time type = Ticks, time = 109109 True 27
Fn
Get Time type = Ticks, time = 109125 True 27
Fn
Get Time type = Ticks, time = 109140 True 22
Fn
Get Time type = Ticks, time = 109156 True 20
Fn
Get Time type = Ticks, time = 109171 True 10
Fn
Get Time type = Ticks, time = 109187 True 18
Fn
Get Time type = Ticks, time = 109203 True 18
Fn
Get Time type = Ticks, time = 109218 True 20
Fn
Get Time type = Ticks, time = 109234 True 16
Fn
Get Time type = Ticks, time = 109250 True 16
Fn
Get Time type = Ticks, time = 109265 True 12
Fn
Get Time type = Ticks, time = 109281 True 16
Fn
Get Time type = Ticks, time = 109296 True 12
Fn
Get Time type = Ticks, time = 109312 True 14
Fn
Get Time type = Ticks, time = 109328 True 10
Fn
Get Time type = Ticks, time = 109546 True 2
Fn
Get Time type = Ticks, time = 111765 True 1
Fn
Get Info type = Operating System True 4
Fn
Get Info type = System Directory True 2
Fn
Get Info type = System Directory, result_out = C:\Windows\system32 True 2
Fn
Get Info type = Hardware Information True 1
Fn
Get Info type = Operating System True 1
Fn
Environment (2)
+
Operation Additional Information Success Count Logfile
Get Environment String name = JS_PROFILER False 2
Fn
Network Behavior
HTTP Sessions (4)
+
Information Value
Total Data Sent 0.35 KB (355 bytes)
Total Data Received 479.00 KB (490496 bytes)
Contacted Host Count 4
Contacted Hosts www.atdrrtd.vs, wsfxvers.ch, serfd.ch, www.apapernotion.com
HTTP Session #1
+
Information Value
Used COM interface MSXML2.XMLHTTP
User Agent Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; Win64; x64; Trident/7.0; .NET4.0E; .NET4.0C; .NET CLR 3.5.30729; .NET CLR 2.0.50727; .NET CLR 3.0.30729)
Server Name www.atdrrtd.vs
Server Port 443
Data Sent 0.00 KB (0 bytes)
Data Received 0.00 KB (0 bytes)
Operations
Operation Additional Information Success Count Logfile
Open Session user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; Win64; x64; Trident/7.0; .NET4.0E; .NET4.0C; .NET CLR 3.5.30729; .NET CLR 2.0.50727; .NET CLR 3.0.30729), access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS True 1
Fn
Open Connection protocol = https, server_name = www.atdrrtd.vs, server_port = 443 True 1
Fn
Open HTTP Request http_verb = GET, http_version = HTTP 1.1 True 1
Fn
Receive HTTP Status status = 12007 True 1
Fn
HTTP Session #2
+
Information Value
Used COM interface MSXML2.XMLHTTP
User Agent Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; Win64; x64; Trident/7.0; .NET4.0E; .NET4.0C; .NET CLR 3.5.30729; .NET CLR 2.0.50727; .NET CLR 3.0.30729)
Server Name wsfxvers.ch
Server Port 443
Data Sent 0.00 KB (0 bytes)
Data Received 0.00 KB (0 bytes)
Operations
Operation Additional Information Success Count Logfile
Open Session user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; Win64; x64; Trident/7.0; .NET4.0E; .NET4.0C; .NET CLR 3.5.30729; .NET CLR 2.0.50727; .NET CLR 3.0.30729), access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS True 1
Fn
Open Connection protocol = https, server_name = wsfxvers.ch, server_port = 443 True 1
Fn
Open HTTP Request http_verb = GET, http_version = HTTP 1.1, target_resource = /fdsffffjt.ico True 1
Fn
Receive HTTP Status status = 12007 True 1
Fn
HTTP Session #3
+
Information Value
Used COM interface MSXML2.XMLHTTP
User Agent Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; Win64; x64; Trident/7.0; .NET4.0E; .NET4.0C; .NET CLR 3.5.30729; .NET CLR 2.0.50727; .NET CLR 3.0.30729)
Server Name serfd.ch
Server Port 443
Data Sent 0.00 KB (0 bytes)
Data Received 0.00 KB (0 bytes)
Operations
Operation Additional Information Success Count Logfile
Open Session user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; Win64; x64; Trident/7.0; .NET4.0E; .NET4.0C; .NET CLR 3.5.30729; .NET CLR 2.0.50727; .NET CLR 3.0.30729), access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS True 1
Fn
Open Connection protocol = https, server_name = serfd.ch, server_port = 443 True 1
Fn
Open HTTP Request http_verb = GET, http_version = HTTP 1.1, target_resource = /fjgnt343.ico True 1
Fn
Receive HTTP Status status = 12007 True 1
Fn
HTTP Session #4
+
Information Value
Used COM interface MSXML2.XMLHTTP
User Agent Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; Win64; x64; Trident/7.0; .NET4.0E; .NET4.0C; .NET CLR 3.5.30729; .NET CLR 2.0.50727; .NET CLR 3.0.30729)
Server Name www.apapernotion.com
Server Port 443
Data Sent 0.35 KB (355 bytes)
Data Received 479.00 KB (490496 bytes)
Operations
Operation Additional Information Success Count Logfile
Open Session user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; Win64; x64; Trident/7.0; .NET4.0E; .NET4.0C; .NET CLR 3.5.30729; .NET CLR 2.0.50727; .NET CLR 3.0.30729), access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS True 1
Fn
Open Connection protocol = https, server_name = www.apapernotion.com, server_port = 443 True 1
Fn
Open HTTP Request http_verb = GET, http_version = HTTP 1.1, target_resource = /wp-includes/Text/ri.php True 1
Fn
Send HTTP Request url = https://www.apapernotion.com/wp-includes/Text/ri.php True 1
Fn
Receive HTTP Status status = 200 True 1
Fn
Read Response size_out = 490496 True 1
Fn
Data
Process #3: 84526935.scr
(Host: 1624, Network: 0)
+
Information Value
ID #3
File Name c:\users\ciihmn~1\appdata\local\temp\84526935.scr
Command Line "C:\Users\CIIHMN~1\AppData\Local\Temp\84526935.scr" /S
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:00:40, Reason: Child Process
Unmonitor End Time: 00:02:20, Reason: Terminated by Timeout
Monitor Duration 00:01:40
OS Process Information
+
Information Value
PID 0xbec
Parent PID 0xf80 (c:\windows\system32\cscript.exe)
Is Created or Modified Executable True
Integrity Level High (Elevated)
Username LHNIWSJ\CIiHmnxMn6Ps
Groups
  • LHNIWSJ\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Local account and member of Administrators group (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • BUILTIN\Administrators (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, OWNER)
  • BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Local account (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Logon Session 00000000:00013d92 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID)
  • LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 568
0x 344
0x 830
0x 468
0x CA4
0x C88
0x CF4
Region
+
Name Start VA End VA Type Permissions Monitored Dump YARA Match Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True True False
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False
private_0x0000000000020000 0x00020000 0x00023fff Private Memory Readable, Writable True True False
private_0x0000000000030000 0x00030000 0x00031fff Private Memory Readable, Writable True True False
private_0x0000000000030000 0x00030000 0x00030fff Private Memory Readable, Writable True True False
pagefile_0x0000000000040000 0x00040000 0x00053fff Pagefile Backed Memory Readable True False False
private_0x0000000000060000 0x00060000 0x0009ffff Private Memory Readable, Writable True True False
private_0x00000000000a0000 0x000a0000 0x0019ffff Private Memory Readable, Writable True True False
pagefile_0x00000000001a0000 0x001a0000 0x001a3fff Pagefile Backed Memory Readable True False False
pagefile_0x00000000001b0000 0x001b0000 0x001b0fff Pagefile Backed Memory Readable True False False
private_0x00000000001c0000 0x001c0000 0x001c1fff Private Memory Readable, Writable True True False
private_0x00000000001d0000 0x001d0000 0x0020ffff Private Memory Readable, Writable True True False
private_0x0000000000210000 0x00210000 0x0021ffff Private Memory Readable, Writable True True False
private_0x0000000000220000 0x00220000 0x00220fff Private Memory Readable, Writable True True False
private_0x0000000000230000 0x00230000 0x0028cfff Private Memory Readable, Writable, Executable True True False
private_0x0000000000290000 0x00290000 0x00290fff Private Memory Readable, Writable, Executable True True False
private_0x00000000002a0000 0x002a0000 0x002a0fff Private Memory Readable, Writable True True False
private_0x00000000002a0000 0x002a0000 0x002a0fff Private Memory Readable, Writable True True False
private_0x00000000002a0000 0x002a0000 0x002a0fff Private Memory Readable, Writable True True False
private_0x00000000002a0000 0x002a0000 0x002a0fff Private Memory Readable, Writable True True False
private_0x00000000002a0000 0x002a0000 0x002a0fff Private Memory Readable, Writable True True False
private_0x00000000002a0000 0x002a0000 0x002a0fff Private Memory Readable, Writable True True False
private_0x00000000002a0000 0x002a0000 0x002a0fff Private Memory Readable, Writable True True False
private_0x00000000002a0000 0x002a0000 0x002a0fff Private Memory Readable, Writable True True False
private_0x00000000002a0000 0x002a0000 0x002a0fff Private Memory Readable, Writable True True False
private_0x00000000002a0000 0x002a0000 0x002a0fff Private Memory Readable, Writable True True False
private_0x00000000002a0000 0x002a0000 0x002a0fff Private Memory Readable, Writable True True False
private_0x00000000002a0000 0x002a0000 0x002a0fff Private Memory Readable, Writable True True False
private_0x00000000002a0000 0x002a0000 0x002a0fff Private Memory Readable, Writable True True False
private_0x00000000002a0000 0x002a0000 0x002a0fff Private Memory Readable, Writable True True False
private_0x00000000002a0000 0x002a0000 0x002a0fff Private Memory Readable, Writable True True False
private_0x00000000002a0000 0x002a0000 0x002a0fff Private Memory Readable, Writable True True False
private_0x00000000002a0000 0x002a0000 0x002a0fff Private Memory Readable, Writable True True False
private_0x00000000002a0000 0x002a0000 0x002a0fff Private Memory Readable, Writable True True False
private_0x00000000002a0000 0x002a0000 0x002a0fff Private Memory Readable, Writable True True False
private_0x00000000002a0000 0x002a0000 0x002a0fff Private Memory Readable, Writable True True False
private_0x00000000002a0000 0x002a0000 0x002a0fff Private Memory Readable, Writable True True False
private_0x00000000002a0000 0x002a0000 0x002a0fff Private Memory Readable, Writable True True False
private_0x00000000002a0000 0x002a0000 0x002a0fff Private Memory Readable, Writable True True False
private_0x00000000002a0000 0x002a0000 0x002a0fff Private Memory Readable, Writable True True False
private_0x00000000002a0000 0x002a0000 0x002a0fff Private Memory Readable, Writable True True False
private_0x00000000002a0000 0x002a0000 0x002a0fff Private Memory Readable, Writable True True False
private_0x00000000002a0000 0x002a0000 0x002a0fff Private Memory Readable, Writable True True False
private_0x00000000002a0000 0x002a0000 0x002a0fff Private Memory Readable, Writable True True False
private_0x00000000002a0000 0x002a0000 0x002a0fff Private Memory Readable, Writable True True False
private_0x00000000002a0000 0x002a0000 0x002a0fff Private Memory Readable, Writable True True False
private_0x00000000002a0000 0x002a0000 0x002a0fff Private Memory Readable, Writable True True False
private_0x00000000002a0000 0x002a0000 0x002a0fff Private Memory Readable, Writable True True False
private_0x00000000002a0000 0x002a0000 0x002a0fff Private Memory Readable, Writable True True False
private_0x00000000002a0000 0x002a0000 0x002a0fff Private Memory Readable, Writable True True False
private_0x00000000002a0000 0x002a0000 0x002a0fff Private Memory Readable, Writable True True False
private_0x00000000002a0000 0x002a0000 0x002a0fff Private Memory Readable, Writable True True False
private_0x00000000002a0000 0x002a0000 0x002a0fff Private Memory Readable, Writable True True False
private_0x00000000002a0000 0x002a0000 0x002a0fff Private Memory Readable, Writable True True False
private_0x00000000002a0000 0x002a0000 0x002a0fff Private Memory Readable, Writable True True False
private_0x00000000002a0000 0x002a0000 0x002a0fff Private Memory Readable, Writable True True False
private_0x00000000002a0000 0x002a0000 0x002a0fff Private Memory Readable, Writable True True False
private_0x00000000002a0000 0x002a0000 0x002a0fff Private Memory Readable, Writable True True False
private_0x00000000002a0000 0x002a0000 0x002a0fff Private Memory Readable, Writable True True False
private_0x00000000002a0000 0x002a0000 0x002a0fff Private Memory Readable, Writable True True False
private_0x00000000002a0000 0x002a0000 0x002a0fff Private Memory Readable, Writable True True False
private_0x00000000002a0000 0x002a0000 0x002a0fff Private Memory Readable, Writable True True False
private_0x00000000002a0000 0x002a0000 0x002a0fff Private Memory Readable, Writable True True False
private_0x00000000002a0000 0x002a0000 0x002a0fff Private Memory Readable, Writable True True False
private_0x00000000002a0000 0x002a0000 0x002a0fff Private Memory Readable, Writable True True False
private_0x00000000002a0000 0x002a0000 0x002a0fff Private Memory Readable, Writable True True False
private_0x00000000002a0000 0x002a0000 0x002a0fff Private Memory Readable, Writable True True False
private_0x00000000002a0000 0x002a0000 0x002a0fff Private Memory Readable, Writable True True False
private_0x00000000002a0000 0x002a0000 0x002a0fff Private Memory Readable, Writable True True False
private_0x00000000002a0000 0x002a0000 0x002a0fff Private Memory Readable, Writable True True False
private_0x00000000002a0000 0x002a0000 0x002a0fff Private Memory Readable, Writable True True False
private_0x00000000002a0000 0x002a0000 0x002a0fff Private Memory Readable, Writable True True False
private_0x00000000002a0000 0x002a0000 0x002a0fff Private Memory Readable, Writable True True False
private_0x00000000002a0000 0x002a0000 0x002a0fff Private Memory Readable, Writable True True False
private_0x00000000002a0000 0x002a0000 0x002a0fff Private Memory Readable, Writable True True False
private_0x00000000002a0000 0x002a0000 0x002a0fff Private Memory Readable, Writable True True False
private_0x00000000002a0000 0x002a0000 0x002a0fff Private Memory Readable, Writable True True False
private_0x00000000002a0000 0x002a0000 0x002a0fff Private Memory Readable, Writable True True False
private_0x00000000002a0000 0x002a0000 0x002a0fff Private Memory Readable, Writable True True False
private_0x00000000002a0000 0x002a0000 0x002a0fff Private Memory Readable, Writable True True False
private_0x00000000002a0000 0x002a0000 0x002a0fff Private Memory Readable, Writable True True False
private_0x00000000002a0000 0x002a0000 0x002a0fff Private Memory Readable, Writable True True False
private_0x00000000002a0000 0x002a0000 0x002a0fff Private Memory Readable, Writable True True False
private_0x00000000002a0000 0x002a0000 0x002a0fff Private Memory Readable, Writable True True False
private_0x00000000002a0000 0x002a0000 0x002a0fff Private Memory Readable, Writable True True False
private_0x00000000002a0000 0x002a0000 0x002a0fff Private Memory Readable, Writable True True False
private_0x00000000002a0000 0x002a0000 0x002a0fff Private Memory Readable, Writable True True False
private_0x00000000002a0000 0x002a0000 0x002a0fff Private Memory Readable, Writable True True False
private_0x00000000002a0000 0x002a0000 0x002a0fff Private Memory Readable, Writable True True False
private_0x00000000002a0000 0x002a0000 0x002a0fff Private Memory Readable, Writable True True False
private_0x00000000002a0000 0x002a0000 0x002a0fff Private Memory Readable, Writable True True False
private_0x00000000002a0000 0x002a0000 0x002a0fff Private Memory Readable, Writable True True False
private_0x00000000002a0000 0x002a0000 0x002a0fff Private Memory Readable, Writable True True False
private_0x00000000002a0000 0x002a0000 0x002a0fff Private Memory Readable, Writable True True False
private_0x00000000002a0000 0x002a0000 0x002a0fff Private Memory Readable, Writable True True False
private_0x00000000002a0000 0x002a0000 0x002a0fff Private Memory Readable, Writable True True False
private_0x00000000002a0000 0x002a0000 0x002a0fff Private Memory Readable, Writable True True False
private_0x00000000002a0000 0x002a0000 0x002a0fff Private Memory Readable, Writable True True False
private_0x00000000002a0000 0x002a0000 0x002a0fff Private Memory Readable, Writable True True False
private_0x00000000002a0000 0x002a0000 0x002a0fff Private Memory Readable, Writable True True False
private_0x00000000002a0000 0x002a0000 0x002a0fff Private Memory Readable, Writable True True False
private_0x00000000002a0000 0x002a0000 0x002a0fff Private Memory Readable, Writable True True False
private_0x00000000002a0000 0x002a0000 0x002a0fff Private Memory Readable, Writable True True False
private_0x00000000002a0000 0x002a0000 0x002a0fff Private Memory Readable, Writable True True False
private_0x00000000002a0000 0x002a0000 0x002a0fff Private Memory Readable, Writable True True False
private_0x00000000002c0000 0x002c0000 0x003bffff Private Memory Readable, Writable True True False
private_0x00000000003c0000 0x003c0000 0x003f8fff Private Memory Readable, Writable, Executable True True False
84526935.scr 0x00400000 0x004a1fff Memory Mapped File Readable, Writable, Executable True True False
locale.nls 0x004b0000 0x0056dfff Memory Mapped File Readable False False False
private_0x0000000000570000 0x00570000 0x0066ffff Private Memory Readable, Writable True True False
pagefile_0x0000000000670000 0x00670000 0x007f7fff Pagefile Backed Memory Readable True False False
private_0x0000000000800000 0x00800000 0x008fffff Private Memory Readable, Writable True True False
private_0x0000000000800000 0x00800000 0x00838fff Private Memory Readable, Writable True True False
oleaut32.dll 0x00840000 0x008d0fff Memory Mapped File Readable False False False
private_0x00000000008f0000 0x008f0000 0x008fffff Private Memory Readable, Writable True True False
private_0x0000000000940000 0x00940000 0x0097ffff Private Memory Readable, Writable True True False
private_0x0000000000980000 0x00980000 0x0098ffff Private Memory Readable, Writable True True False
pagefile_0x0000000000990000 0x00990000 0x00b10fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000b20000 0x00b20000 0x01f1ffff Pagefile Backed Memory Readable True False False
private_0x0000000001f20000 0x01f20000 0x0232ffff Private Memory Readable, Writable True True False
private_0x0000000002670000 0x02670000 0x0277ffff Private Memory Readable, Writable True True False
private_0x0000000002700000 0x02700000 0x0273ffff Private Memory Readable, Writable True True False
private_0x0000000002770000 0x02770000 0x0277ffff Private Memory Readable, Writable True True False
private_0x0000000002780000 0x02780000 0x0287ffff Private Memory Readable, Writable True True False
private_0x0000000002880000 0x02880000 0x0297ffff Private Memory Readable, Writable True True False
private_0x0000000002980000 0x02980000 0x029bffff Private Memory Readable, Writable True True False
private_0x00000000029c0000 0x029c0000 0x02abffff Private Memory Readable, Writable True True False
private_0x0000000002ac0000 0x02ac0000 0x02afffff Private Memory Readable, Writable True True False
private_0x0000000002b00000 0x02b00000 0x02bfffff Private Memory Readable, Writable True True False
private_0x0000000002c00000 0x02c00000 0x02c3ffff Private Memory Readable, Writable True True False
private_0x0000000002c40000 0x02c40000 0x02d3ffff Private Memory Readable, Writable True True False
wow64cpu.dll 0x5c9f0000 0x5c9f7fff Memory Mapped File Readable, Writable, Executable False False False
wow64win.dll 0x5ca00000 0x5ca72fff Memory Mapped File Readable, Writable, Executable False False False
wow64.dll 0x5ca80000 0x5cacefff Memory Mapped File Readable, Writable, Executable False False False
apphelp.dll 0x74190000 0x74220fff Memory Mapped File Readable, Writable, Executable False False False
bcryptprimitives.dll 0x74230000 0x74288fff Memory Mapped File Readable, Writable, Executable False False False
cryptbase.dll 0x74290000 0x74299fff Memory Mapped File Readable, Writable, Executable False False False
sspicli.dll 0x742a0000 0x742bdfff Memory Mapped File Readable, Writable, Executable False False False
user32.dll 0x74500000 0x7463ffff Memory Mapped File Readable, Writable, Executable False False False
ole32.dll 0x74640000 0x74729fff Memory Mapped File Readable, Writable, Executable False False False
imm32.dll 0x74730000 0x7475afff Memory Mapped File Readable, Writable, Executable False False False
shell32.dll 0x74760000 0x75b1efff Memory Mapped File Readable, Writable, Executable False False False
msvcrt.dll 0x75b80000 0x75c3dfff Memory Mapped File Readable, Writable, Executable False False False
powrprof.dll 0x75c40000 0x75c83fff Memory Mapped File Readable, Writable, Executable False False False
advapi32.dll 0x75d40000 0x75dbafff Memory Mapped File Readable, Writable, Executable False False False
shlwapi.dll 0x75dc0000 0x75e03fff Memory Mapped File Readable, Writable, Executable False False False
rpcrt4.dll 0x75e70000 0x75f1bfff Memory Mapped File Readable, Writable, Executable False False False
kernelbase.dll 0x75f20000 0x76095fff Memory Mapped File Readable, Writable, Executable False False False
sechost.dll 0x760a0000 0x760e2fff Memory Mapped File Readable, Writable, Executable False False False
shcore.dll 0x76280000 0x7630cfff Memory Mapped File Readable, Writable, Executable False False False
windows.storage.dll 0x764d0000 0x769acfff Memory Mapped File Readable, Writable, Executable False False False
gdi32.dll 0x769b0000 0x76afcfff Memory Mapped File Readable, Writable, Executable False False False
kernel32.dll 0x76bc0000 0x76caffff Memory Mapped File Readable, Writable, Executable False False False
combase.dll 0x76cf0000 0x76ea9fff Memory Mapped File Readable, Writable, Executable False False False
kernel.appcore.dll 0x76eb0000 0x76ebbfff Memory Mapped File Readable, Writable, Executable False False False
profapi.dll 0x77050000 0x7705efff Memory Mapped File Readable, Writable, Executable False False False
msctf.dll 0x77070000 0x7718ffff Memory Mapped File Readable, Writable, Executable False False False
ntdll.dll 0x77190000 0x77308fff Memory Mapped File Readable, Writable, Executable False False False
private_0x000000007fea4000 0x7fea4000 0x7fea6fff Private Memory Readable, Writable True True False
private_0x000000007fea7000 0x7fea7000 0x7fea9fff Private Memory Readable, Writable True True False
private_0x000000007feaa000 0x7feaa000 0x7feacfff Private Memory Readable, Writable True True False
private_0x000000007fead000 0x7fead000 0x7feaffff Private Memory Readable, Writable True True False
pagefile_0x000000007feb0000 0x7feb0000 0x7ffaffff Pagefile Backed Memory Readable True False False
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory Readable True False False
private_0x000000007ffd5000 0x7ffd5000 0x7ffd7fff Private Memory Readable, Writable True True False
private_0x000000007ffd8000 0x7ffd8000 0x7ffdafff Private Memory Readable, Writable True True False
private_0x000000007ffdb000 0x7ffdb000 0x7ffddfff Private Memory Readable, Writable True True False
private_0x000000007ffde000 0x7ffde000 0x7ffdefff Private Memory Readable, Writable True True False
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory Readable, Writable True True False
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True True False
private_0x000000007fff0000 0x7fff0000 0x7ffb3d30ffff Private Memory Readable True False False
ntdll.dll 0x7ffb3d310000 0x7ffb3d4d1fff Memory Mapped File Readable, Writable, Executable False False False
private_0x00007ffb3d4d2000 0x7ffb3d4d2000 0x7ffffffeffff Private Memory Readable True False False
For performance reasons, the remaining 23 entries are omitted.
The remaining entries can be found in flog.txt.
Created Files
+
Filename File Size Hash Values YARA Match Actions
c:\users\ciihmn~1\appdata\local\temp\f2d7.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f2d8.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f2e8.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f2f9.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f2fa.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f2fb.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f2fc.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f32c.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f33c.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f33d.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f33e.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f33f.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f350.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f351.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f381.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f382.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f383.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f384.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f385.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f396.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f397.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f398.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f399.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f39a.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f3d9.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f3da.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f3eb.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f3ec.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f3ed.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f3fd.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f41e.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f42e.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f42f.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f430.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f441.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f442.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f472.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f473.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f474.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f475.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f485.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f486.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f487.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f488.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f499.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f4b9.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f4ba.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f4bb.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f4cc.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f4cd.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f4ce.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f4cf.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f4df.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f4e0.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f4f1.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f4f2.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f4f3.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f4f4.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f4f5.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f506.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f507.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f508.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f509.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f50a.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f51a.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f51b.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f51c.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f53d.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f53e.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f53f.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f540.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f541.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f551.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f552.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f553.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f554.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f565.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f566.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f567.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f568.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f569.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f579.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f57a.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f57b.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f57c.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f58d.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f58e.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f58f.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f590.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f5a1.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f5a2.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f5a3.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f5b3.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f5b4.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f5b5.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f5c6.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f5c7.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f5c8.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f5d9.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f5e9.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f5ea.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f5fb.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f5fc.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f5fd.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f60d.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f60e.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f60f.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f610.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f621.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f622.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f623.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f634.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f635.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f636.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f637.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f647.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f648.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f649.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f6b8.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f6c8.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f6c9.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f6da.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f6db.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f6dc.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f6ed.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f6ee.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f6fe.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f6ff.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f700.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f701.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f712.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f722.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f723.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f724.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f725.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f736.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f737.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f738.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f749.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f74a.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f75a.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f75b.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f75c.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f77d.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f77e.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f78e.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f78f.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f790.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f7a1.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f7b1.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f7c2.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f7c3.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f7d4.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f7d5.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f7e5.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f806.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f816.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f827.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f837.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f838.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f849.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f84a.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f84b.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f85c.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f86c.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f86d.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f89d.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f89e.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f89f.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f8cf.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f8e0.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f8f0.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f8f1.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f902.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f903.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f914.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f915.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f916.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f926.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f927.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f928.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f939.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f93a.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f94a.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f96b.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f96c.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f96d.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f98d.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f98e.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f99f.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f9a0.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f9c0.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f9c1.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f9c2.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f9d2.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f9d3.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f9d4.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f9e5.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f9e6.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f9f7.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\fa07.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\fa08.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\fa09.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\fa0a.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\fa1b.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\fa2c.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\fa2d.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\fa2e.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\fa3e.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\fa3f.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\fa50.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\fa51.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\fa52.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\fa62.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\fa63.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\fa74.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\fa85.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\fa86.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\fa96.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\fa97.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\fa98.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\fa99.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\faaa.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\faca.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\facb.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\facc.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\facd.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\fb4b.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\fb6b.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\fb6c.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\fb6d.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\fb7e.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\fb7f.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\fb90.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\fb91.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\fba1.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\fba2.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\fba3.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\fbb4.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\fbb5.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\fbb6.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\fbb7.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\fbd7.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\fbd8.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\fbe9.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\fbea.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\fbeb.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\fbec.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\fbfc.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\fbfd.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\fbfe.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\fc0f.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\fc10.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\fc11.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\fc22.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\fc23.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\f2d7.tmp 0.01 KB (8 bytes) MD5: ab28e0b612bc4ddf226676cd532c962d
SHA1: b59526005703af82972679d96fc346768b4bfae8
SHA256: 60e9853af737363ea6439bee3a65a6683c9afdf1a87425e2e03c4b247e16534f
False
c:\users\ciihmn~1\appdata\local\temp\f2d8.tmp 0.01 KB (8 bytes) MD5: ab28e0b612bc4ddf226676cd532c962d
SHA1: b59526005703af82972679d96fc346768b4bfae8
SHA256: 60e9853af737363ea6439bee3a65a6683c9afdf1a87425e2e03c4b247e16534f
False
c:\users\ciihmn~1\appdata\local\temp\f2e8.tmp 0.01 KB (8 bytes) MD5: fd530f884ded068a1e9bd0ac2a1e36d8
SHA1: 4ccc4866976f7ec567851d7c90015a60fd7ccf2a
SHA256: db674604dc1fe9df020558e69b3038c738c697231903aa596700ac18070ffe85
False
c:\users\ciihmn~1\appdata\local\temp\f2f9.tmp 0.01 KB (8 bytes) MD5: df400c07cdf87dea697f5313673f45da
SHA1: 78a9aa849ec7e4dc62c0a1f49454d93c45aabfca
SHA256: da0800d82ed1c8d9d3a55ac2db30f1f9e27fdace3eb20f90926fcfbadc5a26f8
False
c:\users\ciihmn~1\appdata\local\temp\f2fa.tmp 0.01 KB (8 bytes) MD5: 4721c4ad3b7ab96da65f5567ea559b3c
SHA1: 54af4a938d39230c512a88002c59cb74f0bc0d07
SHA256: 4240d971d7c5c08a44a34da39e4e65e50322fa79dfcc7c1904395409116280b7
False
c:\users\ciihmn~1\appdata\local\temp\f2fb.tmp 0.01 KB (8 bytes) MD5: a8a2dadf629bfbc4b37e71549b0305f3
SHA1: a277c6508628e442c5d51332f94b533596097639
SHA256: 39e93984d5cd1d066156fd8694cede26f9c1cf87a1bcd93412a4adea1d435933
False
c:\users\ciihmn~1\appdata\local\temp\f2fc.tmp 0.01 KB (8 bytes) MD5: a8a2dadf629bfbc4b37e71549b0305f3
SHA1: a277c6508628e442c5d51332f94b533596097639
SHA256: 39e93984d5cd1d066156fd8694cede26f9c1cf87a1bcd93412a4adea1d435933
False
c:\users\ciihmn~1\appdata\local\temp\f32c.tmp 0.01 KB (8 bytes) MD5: cf7f81d4b988308d3cd856a6b41bbc56
SHA1: 7027b22c141ed485279594918c8593af5e251aba
SHA256: b05fdcc590001a2ba4dc7ac6c86157b0f33767ca499f98e60d711e86c4351a7a
False
c:\users\ciihmn~1\appdata\local\temp\f33c.tmp 0.01 KB (8 bytes) MD5: 37b7354ecaa8543098eb12c981ad4402
SHA1: 4d7147388a576aeb70d0f8afb28cfc8461aca2af
SHA256: 4509324384f471a0043d8adb1b060297bbf35c6ced8275ed4c667bc78e21bb2c
False
c:\users\ciihmn~1\appdata\local\temp\f33d.tmp 0.01 KB (8 bytes) MD5: 37b7354ecaa8543098eb12c981ad4402
SHA1: 4d7147388a576aeb70d0f8afb28cfc8461aca2af
SHA256: 4509324384f471a0043d8adb1b060297bbf35c6ced8275ed4c667bc78e21bb2c
False
c:\users\ciihmn~1\appdata\local\temp\f33e.tmp 0.01 KB (8 bytes) MD5: 37b7354ecaa8543098eb12c981ad4402
SHA1: 4d7147388a576aeb70d0f8afb28cfc8461aca2af
SHA256: 4509324384f471a0043d8adb1b060297bbf35c6ced8275ed4c667bc78e21bb2c
False
c:\users\ciihmn~1\appdata\local\temp\f33f.tmp 0.01 KB (8 bytes) MD5: 37b7354ecaa8543098eb12c981ad4402
SHA1: 4d7147388a576aeb70d0f8afb28cfc8461aca2af
SHA256: 4509324384f471a0043d8adb1b060297bbf35c6ced8275ed4c667bc78e21bb2c
False
c:\users\ciihmn~1\appdata\local\temp\f350.tmp 0.01 KB (8 bytes) MD5: 6563b28cb7911859a2569c553f469639
SHA1: 11ccbfeeeb88c1587a72cd8875ed8600a511aeec
SHA256: 9c91d18494f82e9c8ec624330f428cfb6866396caff0b7ff09ed31f91be429f8
False
c:\users\ciihmn~1\appdata\local\temp\f351.tmp 0.01 KB (8 bytes) MD5: 6563b28cb7911859a2569c553f469639
SHA1: 11ccbfeeeb88c1587a72cd8875ed8600a511aeec
SHA256: 9c91d18494f82e9c8ec624330f428cfb6866396caff0b7ff09ed31f91be429f8
False
c:\users\ciihmn~1\appdata\local\temp\f381.tmp 0.01 KB (8 bytes) MD5: 103e0b8fd12bb07ef8961566a7765a55
SHA1: f84633d25ea9b41c542644c0a381cb8457721ca2
SHA256: b249383eaadc3cac29adbbd2b933929ed5d6054e781c28770961aecbc70d7974
False
c:\users\ciihmn~1\appdata\local\temp\f382.tmp 0.01 KB (8 bytes) MD5: 103e0b8fd12bb07ef8961566a7765a55
SHA1: f84633d25ea9b41c542644c0a381cb8457721ca2
SHA256: b249383eaadc3cac29adbbd2b933929ed5d6054e781c28770961aecbc70d7974
False
c:\users\ciihmn~1\appdata\local\temp\f383.tmp 0.01 KB (8 bytes) MD5: 103e0b8fd12bb07ef8961566a7765a55
SHA1: f84633d25ea9b41c542644c0a381cb8457721ca2
SHA256: b249383eaadc3cac29adbbd2b933929ed5d6054e781c28770961aecbc70d7974
False
c:\users\ciihmn~1\appdata\local\temp\f384.tmp 0.01 KB (8 bytes) MD5: 103e0b8fd12bb07ef8961566a7765a55
SHA1: f84633d25ea9b41c542644c0a381cb8457721ca2
SHA256: b249383eaadc3cac29adbbd2b933929ed5d6054e781c28770961aecbc70d7974
False
c:\users\ciihmn~1\appdata\local\temp\f385.tmp 0.01 KB (8 bytes) MD5: 103e0b8fd12bb07ef8961566a7765a55
SHA1: f84633d25ea9b41c542644c0a381cb8457721ca2
SHA256: b249383eaadc3cac29adbbd2b933929ed5d6054e781c28770961aecbc70d7974
False
c:\users\ciihmn~1\appdata\local\temp\f396.tmp 0.01 KB (8 bytes) MD5: 375354fe68646f0128f6ab29e48869bd
SHA1: 041bcbffc817e9e86000ae0c3c77281280719268
SHA256: 5d393fd606d3ae2b4153699180cef6ad3c3f5aebe6cf05c43c109f7634949670
False
c:\users\ciihmn~1\appdata\local\temp\f397.tmp 0.01 KB (8 bytes) MD5: 375354fe68646f0128f6ab29e48869bd
SHA1: 041bcbffc817e9e86000ae0c3c77281280719268
SHA256: 5d393fd606d3ae2b4153699180cef6ad3c3f5aebe6cf05c43c109f7634949670
False
c:\users\ciihmn~1\appdata\local\temp\f398.tmp 0.01 KB (8 bytes) MD5: 375354fe68646f0128f6ab29e48869bd
SHA1: 041bcbffc817e9e86000ae0c3c77281280719268
SHA256: 5d393fd606d3ae2b4153699180cef6ad3c3f5aebe6cf05c43c109f7634949670
False
c:\users\ciihmn~1\appdata\local\temp\f399.tmp 0.01 KB (8 bytes) MD5: 375354fe68646f0128f6ab29e48869bd
SHA1: 041bcbffc817e9e86000ae0c3c77281280719268
SHA256: 5d393fd606d3ae2b4153699180cef6ad3c3f5aebe6cf05c43c109f7634949670
False
c:\users\ciihmn~1\appdata\local\temp\f39a.tmp 0.01 KB (8 bytes) MD5: 375354fe68646f0128f6ab29e48869bd
SHA1: 041bcbffc817e9e86000ae0c3c77281280719268
SHA256: 5d393fd606d3ae2b4153699180cef6ad3c3f5aebe6cf05c43c109f7634949670
False
c:\users\ciihmn~1\appdata\local\temp\f3d9.tmp 0.01 KB (8 bytes) MD5: 9914902ffd73d3d52944d5f02c990052
SHA1: f1ba32861024ce89f2616150c71bd25a0be1097a
SHA256: 438e2d2f7eed159de5d7d589ba5188e73b43c5f47aa6d561169346ae1e3d1c05
False
c:\users\ciihmn~1\appdata\local\temp\f3da.tmp 0.01 KB (8 bytes) MD5: 9914902ffd73d3d52944d5f02c990052
SHA1: f1ba32861024ce89f2616150c71bd25a0be1097a
SHA256: 438e2d2f7eed159de5d7d589ba5188e73b43c5f47aa6d561169346ae1e3d1c05
False
c:\users\ciihmn~1\appdata\local\temp\f3eb.tmp 0.01 KB (8 bytes) MD5: 2841502da02a6dc1929c6b679d2d952b
SHA1: e9542f012dcc2786e80130fd539129b7f7d6d553
SHA256: 7faae97a81dfe6e3a19ab568d3c36e4b68df217f4c7f21ea4bc13c1e33b8e92c
False
c:\users\ciihmn~1\appdata\local\temp\f3ec.tmp 0.01 KB (8 bytes) MD5: 2841502da02a6dc1929c6b679d2d952b
SHA1: e9542f012dcc2786e80130fd539129b7f7d6d553
SHA256: 7faae97a81dfe6e3a19ab568d3c36e4b68df217f4c7f21ea4bc13c1e33b8e92c
False
c:\users\ciihmn~1\appdata\local\temp\f3ed.tmp 0.01 KB (8 bytes) MD5: 2841502da02a6dc1929c6b679d2d952b
SHA1: e9542f012dcc2786e80130fd539129b7f7d6d553
SHA256: 7faae97a81dfe6e3a19ab568d3c36e4b68df217f4c7f21ea4bc13c1e33b8e92c
False
c:\users\ciihmn~1\appdata\local\temp\f3fd.tmp 0.01 KB (8 bytes) MD5: 14f8d6416125ae53432caacf7f85edcf
SHA1: cb0dc4b48c5703356951c02485ad6fcea8f6bc96
SHA256: 22924b1e57cb5405ae74e97b9d7b20c90b31c6111067035a1072de62688e230e
False
c:\users\ciihmn~1\appdata\local\temp\f41e.tmp 0.01 KB (8 bytes) MD5: aa75d8a30aacd8184640a5bc63dd8add
SHA1: 158000124dbae9ab0a834a306a1f2e52ead8cedd
SHA256: c20f0cc73e42057066194ead502dee19fe7b65238890cc6ea3eca658d96ea018
False
c:\users\ciihmn~1\appdata\local\temp\f42e.tmp 0.01 KB (8 bytes) MD5: 684c21c6a46af124447bdb10f9c4de69
SHA1: ebeb1642dad077201aab5cd2566c8f34b0a3b604
SHA256: a7c626455caeb41a1a6db61c703e08eb645ad45d2d84587ed95e25a1dccf756d
False
c:\users\ciihmn~1\appdata\local\temp\f42f.tmp 0.01 KB (8 bytes) MD5: 684c21c6a46af124447bdb10f9c4de69
SHA1: ebeb1642dad077201aab5cd2566c8f34b0a3b604
SHA256: a7c626455caeb41a1a6db61c703e08eb645ad45d2d84587ed95e25a1dccf756d
False
c:\users\ciihmn~1\appdata\local\temp\f430.tmp 0.01 KB (8 bytes) MD5: 684c21c6a46af124447bdb10f9c4de69
SHA1: ebeb1642dad077201aab5cd2566c8f34b0a3b604
SHA256: a7c626455caeb41a1a6db61c703e08eb645ad45d2d84587ed95e25a1dccf756d
False
c:\users\ciihmn~1\appdata\local\temp\f441.tmp 0.01 KB (8 bytes) MD5: 18ccd98a45f94ad63b8f2751d5c64f47
SHA1: 39cce3420bf79b006df70fad5bd4bd25a4ed2354
SHA256: 2a020923b05677c27a82d2e6b8a3e4385827616724b78702394d76b0a03a3841
False
c:\users\ciihmn~1\appdata\local\temp\f442.tmp 0.01 KB (8 bytes) MD5: 18ccd98a45f94ad63b8f2751d5c64f47
SHA1: 39cce3420bf79b006df70fad5bd4bd25a4ed2354
SHA256: 2a020923b05677c27a82d2e6b8a3e4385827616724b78702394d76b0a03a3841
False
c:\users\ciihmn~1\appdata\local\temp\f472.tmp 0.01 KB (8 bytes) MD5: 0fe5a713f286f220c91a08b30542ae0f
SHA1: 452bdea5a923e770304174c86876749ad68736e5
SHA256: 8123adf3394eb1db518c72de323441ab548b3ab30b9d3844102c1723c94d2f83
False
c:\users\ciihmn~1\appdata\local\temp\f473.tmp 0.01 KB (8 bytes) MD5: 0fe5a713f286f220c91a08b30542ae0f
SHA1: 452bdea5a923e770304174c86876749ad68736e5
SHA256: 8123adf3394eb1db518c72de323441ab548b3ab30b9d3844102c1723c94d2f83
False
c:\users\ciihmn~1\appdata\local\temp\f474.tmp 0.01 KB (8 bytes) MD5: 0fe5a713f286f220c91a08b30542ae0f
SHA1: 452bdea5a923e770304174c86876749ad68736e5
SHA256: 8123adf3394eb1db518c72de323441ab548b3ab30b9d3844102c1723c94d2f83
False
c:\users\ciihmn~1\appdata\local\temp\f475.tmp 0.01 KB (8 bytes) MD5: 0fe5a713f286f220c91a08b30542ae0f
SHA1: 452bdea5a923e770304174c86876749ad68736e5
SHA256: 8123adf3394eb1db518c72de323441ab548b3ab30b9d3844102c1723c94d2f83
False
c:\users\ciihmn~1\appdata\local\temp\f485.tmp 0.01 KB (8 bytes) MD5: e102f4f45076f59380e7c6d844d55c39
SHA1: 3ac8c45455eaec9ee64251ecece9f70481af4b21
SHA256: 7822a8a931d8d38d67968a64e969ab18e9369a8d0b3fadbfd0018add463b0dd9
False
c:\users\ciihmn~1\appdata\local\temp\f486.tmp 0.01 KB (8 bytes) MD5: e102f4f45076f59380e7c6d844d55c39
SHA1: 3ac8c45455eaec9ee64251ecece9f70481af4b21
SHA256: 7822a8a931d8d38d67968a64e969ab18e9369a8d0b3fadbfd0018add463b0dd9
False
c:\users\ciihmn~1\appdata\local\temp\f487.tmp 0.01 KB (8 bytes) MD5: e102f4f45076f59380e7c6d844d55c39
SHA1: 3ac8c45455eaec9ee64251ecece9f70481af4b21
SHA256: 7822a8a931d8d38d67968a64e969ab18e9369a8d0b3fadbfd0018add463b0dd9
False
c:\users\ciihmn~1\appdata\local\temp\f488.tmp 0.01 KB (8 bytes) MD5: e102f4f45076f59380e7c6d844d55c39
SHA1: 3ac8c45455eaec9ee64251ecece9f70481af4b21
SHA256: 7822a8a931d8d38d67968a64e969ab18e9369a8d0b3fadbfd0018add463b0dd9
False
c:\users\ciihmn~1\appdata\local\temp\f499.tmp 0.01 KB (8 bytes) MD5: 9884e4f00c2714eeebf230e5b40e9480
SHA1: be8269c4c4929b4f35d057725d122d17805716b9
SHA256: f42fda1c199b447e1d1e4008eb7897c4ca4ecf3a2f7fdea829b9c35e6e044458
False
c:\users\ciihmn~1\appdata\local\temp\f4b9.tmp 0.01 KB (8 bytes) MD5: b9fbcebb04b9f7e4d3f07b023a0229fd
SHA1: f2173b4759317545d5f81a88982aa637099de5b6
SHA256: 359c38c6582afda6a9913c1f4870e5e35e47a1f8d6959dea71abb2b94b094476
False
c:\users\ciihmn~1\appdata\local\temp\f4ba.tmp 0.01 KB (8 bytes) MD5: b9fbcebb04b9f7e4d3f07b023a0229fd
SHA1: f2173b4759317545d5f81a88982aa637099de5b6
SHA256: 359c38c6582afda6a9913c1f4870e5e35e47a1f8d6959dea71abb2b94b094476
False
c:\users\ciihmn~1\appdata\local\temp\f4bb.tmp 0.01 KB (8 bytes) MD5: b9fbcebb04b9f7e4d3f07b023a0229fd
SHA1: f2173b4759317545d5f81a88982aa637099de5b6
SHA256: 359c38c6582afda6a9913c1f4870e5e35e47a1f8d6959dea71abb2b94b094476
False
c:\users\ciihmn~1\appdata\local\temp\f4cc.tmp 0.01 KB (8 bytes) MD5: b3574d66d7c98d6f82168937555180f2
SHA1: c7e08e3a085493db3cb9df920890015bda11cc50
SHA256: 8544a403db6bc12357c9d122731239fb5101b1949bdfe09ffe6dbfeebcc73919
False
c:\users\ciihmn~1\appdata\local\temp\f4cd.tmp 0.01 KB (8 bytes) MD5: b3574d66d7c98d6f82168937555180f2
SHA1: c7e08e3a085493db3cb9df920890015bda11cc50
SHA256: 8544a403db6bc12357c9d122731239fb5101b1949bdfe09ffe6dbfeebcc73919
False
c:\users\ciihmn~1\appdata\local\temp\f4ce.tmp 0.01 KB (8 bytes) MD5: b3574d66d7c98d6f82168937555180f2
SHA1: c7e08e3a085493db3cb9df920890015bda11cc50
SHA256: 8544a403db6bc12357c9d122731239fb5101b1949bdfe09ffe6dbfeebcc73919
False
c:\users\ciihmn~1\appdata\local\temp\f4cf.tmp 0.01 KB (8 bytes) MD5: b3574d66d7c98d6f82168937555180f2
SHA1: c7e08e3a085493db3cb9df920890015bda11cc50
SHA256: 8544a403db6bc12357c9d122731239fb5101b1949bdfe09ffe6dbfeebcc73919
False
c:\users\ciihmn~1\appdata\local\temp\f4df.tmp 0.01 KB (8 bytes) MD5: 426861378070228083370ab1716f5d34
SHA1: 6bdb6c1b524e52bc373739e7022ee164a7b63086
SHA256: c371441da18d02cf86e7de5a784754e94b67f74f69012029901896b081d114d2
False
c:\users\ciihmn~1\appdata\local\temp\f4e0.tmp 0.01 KB (8 bytes) MD5: 426861378070228083370ab1716f5d34
SHA1: 6bdb6c1b524e52bc373739e7022ee164a7b63086
SHA256: c371441da18d02cf86e7de5a784754e94b67f74f69012029901896b081d114d2
False
c:\users\ciihmn~1\appdata\local\temp\f4f1.tmp 0.01 KB (8 bytes) MD5: 8c63a5d8e82e6edd83997890130d40c7
SHA1: cb22abc76e59b8fd55b756731f2942b02a50d765
SHA256: 854926af3596aa48c171f2877729389f90de5d6add7a00334444d67683c510d6
False
c:\users\ciihmn~1\appdata\local\temp\f4f2.tmp 0.01 KB (8 bytes) MD5: 8c63a5d8e82e6edd83997890130d40c7
SHA1: cb22abc76e59b8fd55b756731f2942b02a50d765
SHA256: 854926af3596aa48c171f2877729389f90de5d6add7a00334444d67683c510d6
False
c:\users\ciihmn~1\appdata\local\temp\f4f3.tmp 0.01 KB (8 bytes) MD5: 8c63a5d8e82e6edd83997890130d40c7
SHA1: cb22abc76e59b8fd55b756731f2942b02a50d765
SHA256: 854926af3596aa48c171f2877729389f90de5d6add7a00334444d67683c510d6
False
c:\users\ciihmn~1\appdata\local\temp\f4f4.tmp 0.01 KB (8 bytes) MD5: 8c63a5d8e82e6edd83997890130d40c7
SHA1: cb22abc76e59b8fd55b756731f2942b02a50d765
SHA256: 854926af3596aa48c171f2877729389f90de5d6add7a00334444d67683c510d6
False
c:\users\ciihmn~1\appdata\local\temp\f4f5.tmp 0.01 KB (8 bytes) MD5: 8c63a5d8e82e6edd83997890130d40c7
SHA1: cb22abc76e59b8fd55b756731f2942b02a50d765
SHA256: 854926af3596aa48c171f2877729389f90de5d6add7a00334444d67683c510d6
False
c:\users\ciihmn~1\appdata\local\temp\f506.tmp 0.01 KB (8 bytes) MD5: c753a995dd61c55c0ce9d9d0c996ed8a
SHA1: 3ddcbdc4fe23523efffc6cd03757955809caa83f
SHA256: d0750b1dbe19dff3d69c999b47a93a5cf6b79c4e776579d6372394b6c22b4226
False
c:\users\ciihmn~1\appdata\local\temp\f507.tmp 0.01 KB (8 bytes) MD5: c753a995dd61c55c0ce9d9d0c996ed8a
SHA1: 3ddcbdc4fe23523efffc6cd03757955809caa83f
SHA256: d0750b1dbe19dff3d69c999b47a93a5cf6b79c4e776579d6372394b6c22b4226
False
c:\users\ciihmn~1\appdata\local\temp\f508.tmp 0.01 KB (8 bytes) MD5: c753a995dd61c55c0ce9d9d0c996ed8a
SHA1: 3ddcbdc4fe23523efffc6cd03757955809caa83f
SHA256: d0750b1dbe19dff3d69c999b47a93a5cf6b79c4e776579d6372394b6c22b4226
False
c:\users\ciihmn~1\appdata\local\temp\f509.tmp 0.01 KB (8 bytes) MD5: c753a995dd61c55c0ce9d9d0c996ed8a
SHA1: 3ddcbdc4fe23523efffc6cd03757955809caa83f
SHA256: d0750b1dbe19dff3d69c999b47a93a5cf6b79c4e776579d6372394b6c22b4226
False
c:\users\ciihmn~1\appdata\local\temp\f50a.tmp 0.01 KB (8 bytes) MD5: c753a995dd61c55c0ce9d9d0c996ed8a
SHA1: 3ddcbdc4fe23523efffc6cd03757955809caa83f
SHA256: d0750b1dbe19dff3d69c999b47a93a5cf6b79c4e776579d6372394b6c22b4226
False
c:\users\ciihmn~1\appdata\local\temp\f51a.tmp 0.01 KB (8 bytes) MD5: a3894421dceb69d0f1ad369951902696
SHA1: ec9e7a1edd0c96c7522983fc4d03bfe30a7446a5
SHA256: 16d20f692fc19048728ae91e65e8c6e1e260af1e71617b19192047fd64ea981e
False
c:\users\ciihmn~1\appdata\local\temp\f51b.tmp 0.01 KB (8 bytes) MD5: a3894421dceb69d0f1ad369951902696
SHA1: ec9e7a1edd0c96c7522983fc4d03bfe30a7446a5
SHA256: 16d20f692fc19048728ae91e65e8c6e1e260af1e71617b19192047fd64ea981e
False
c:\users\ciihmn~1\appdata\local\temp\f51c.tmp 0.01 KB (8 bytes) MD5: a3894421dceb69d0f1ad369951902696
SHA1: ec9e7a1edd0c96c7522983fc4d03bfe30a7446a5
SHA256: 16d20f692fc19048728ae91e65e8c6e1e260af1e71617b19192047fd64ea981e
False
c:\users\ciihmn~1\appdata\local\temp\f53d.tmp 0.01 KB (8 bytes) MD5: 7d1c896adc01c20ba38921c393cf3bf5
SHA1: 0a6d1315f79a81a81ff0baebe5a096255566bab0
SHA256: 4655b8389012aa3c527d58ae9ca214ca5ed4cdfbf378bcd6fe1a04b3b53e85ca
False
c:\users\ciihmn~1\appdata\local\temp\f53e.tmp 0.01 KB (8 bytes) MD5: 7d1c896adc01c20ba38921c393cf3bf5
SHA1: 0a6d1315f79a81a81ff0baebe5a096255566bab0
SHA256: 4655b8389012aa3c527d58ae9ca214ca5ed4cdfbf378bcd6fe1a04b3b53e85ca
False
c:\users\ciihmn~1\appdata\local\temp\f53f.tmp 0.01 KB (8 bytes) MD5: 7d1c896adc01c20ba38921c393cf3bf5
SHA1: 0a6d1315f79a81a81ff0baebe5a096255566bab0
SHA256: 4655b8389012aa3c527d58ae9ca214ca5ed4cdfbf378bcd6fe1a04b3b53e85ca
False
c:\users\ciihmn~1\appdata\local\temp\f540.tmp 0.01 KB (8 bytes) MD5: 7d1c896adc01c20ba38921c393cf3bf5
SHA1: 0a6d1315f79a81a81ff0baebe5a096255566bab0
SHA256: 4655b8389012aa3c527d58ae9ca214ca5ed4cdfbf378bcd6fe1a04b3b53e85ca
False
c:\users\ciihmn~1\appdata\local\temp\f541.tmp 0.01 KB (8 bytes) MD5: 7d1c896adc01c20ba38921c393cf3bf5
SHA1: 0a6d1315f79a81a81ff0baebe5a096255566bab0
SHA256: 4655b8389012aa3c527d58ae9ca214ca5ed4cdfbf378bcd6fe1a04b3b53e85ca
False
c:\users\ciihmn~1\appdata\local\temp\f551.tmp 0.01 KB (8 bytes) MD5: 4a0b19c62039f27899009aabbdf4770d
SHA1: f7cd0536d3e7f06fa69d9d2445911a3048a59c29
SHA256: 7567e47e4a26c271f09bf78392cd1a89f48c9803f8393306761911ebb53f032c
False
c:\users\ciihmn~1\appdata\local\temp\f552.tmp 0.01 KB (8 bytes) MD5: 4a0b19c62039f27899009aabbdf4770d
SHA1: f7cd0536d3e7f06fa69d9d2445911a3048a59c29
SHA256: 7567e47e4a26c271f09bf78392cd1a89f48c9803f8393306761911ebb53f032c
False
c:\users\ciihmn~1\appdata\local\temp\f553.tmp 0.01 KB (8 bytes) MD5: 4a0b19c62039f27899009aabbdf4770d
SHA1: f7cd0536d3e7f06fa69d9d2445911a3048a59c29
SHA256: 7567e47e4a26c271f09bf78392cd1a89f48c9803f8393306761911ebb53f032c
False
c:\users\ciihmn~1\appdata\local\temp\f554.tmp 0.01 KB (8 bytes) MD5: 4a0b19c62039f27899009aabbdf4770d
SHA1: f7cd0536d3e7f06fa69d9d2445911a3048a59c29
SHA256: 7567e47e4a26c271f09bf78392cd1a89f48c9803f8393306761911ebb53f032c
False
c:\users\ciihmn~1\appdata\local\temp\f565.tmp 0.01 KB (8 bytes) MD5: 23b161ac199d8c597729dbdb84b9c077
SHA1: 03ecd7fa3b32daf89555f179195c5c4ea2eea2d9
SHA256: c7624be02d1c2cb148ab1636771aebeb4cbb4eaa771e63c14b6433a1ee5b33c4
False
c:\users\ciihmn~1\appdata\local\temp\f566.tmp 0.01 KB (8 bytes) MD5: 23b161ac199d8c597729dbdb84b9c077
SHA1: 03ecd7fa3b32daf89555f179195c5c4ea2eea2d9
SHA256: c7624be02d1c2cb148ab1636771aebeb4cbb4eaa771e63c14b6433a1ee5b33c4
False
c:\users\ciihmn~1\appdata\local\temp\f567.tmp 0.01 KB (8 bytes) MD5: 23b161ac199d8c597729dbdb84b9c077
SHA1: 03ecd7fa3b32daf89555f179195c5c4ea2eea2d9
SHA256: c7624be02d1c2cb148ab1636771aebeb4cbb4eaa771e63c14b6433a1ee5b33c4
False
c:\users\ciihmn~1\appdata\local\temp\f568.tmp 0.01 KB (8 bytes) MD5: 23b161ac199d8c597729dbdb84b9c077
SHA1: 03ecd7fa3b32daf89555f179195c5c4ea2eea2d9
SHA256: c7624be02d1c2cb148ab1636771aebeb4cbb4eaa771e63c14b6433a1ee5b33c4
False
c:\users\ciihmn~1\appdata\local\temp\f569.tmp 0.01 KB (8 bytes) MD5: 23b161ac199d8c597729dbdb84b9c077
SHA1: 03ecd7fa3b32daf89555f179195c5c4ea2eea2d9
SHA256: c7624be02d1c2cb148ab1636771aebeb4cbb4eaa771e63c14b6433a1ee5b33c4
False
c:\users\ciihmn~1\appdata\local\temp\f579.tmp 0.01 KB (8 bytes) MD5: 6c2e843da5e5c4585641c3e39a20d0b5
SHA1: b0310d8410d972e6653160557a61c3740a392da7
SHA256: f8f41e0bf9b26685f9f49a646407fda564b61f98fbfc46499113ebfaf04ca409
False
c:\users\ciihmn~1\appdata\local\temp\f57a.tmp 0.01 KB (8 bytes) MD5: 6c2e843da5e5c4585641c3e39a20d0b5
SHA1: b0310d8410d972e6653160557a61c3740a392da7
SHA256: f8f41e0bf9b26685f9f49a646407fda564b61f98fbfc46499113ebfaf04ca409
False
c:\users\ciihmn~1\appdata\local\temp\f57b.tmp 0.01 KB (8 bytes) MD5: 6c2e843da5e5c4585641c3e39a20d0b5
SHA1: b0310d8410d972e6653160557a61c3740a392da7
SHA256: f8f41e0bf9b26685f9f49a646407fda564b61f98fbfc46499113ebfaf04ca409
False
c:\users\ciihmn~1\appdata\local\temp\f57c.tmp 0.01 KB (8 bytes) MD5: 6c2e843da5e5c4585641c3e39a20d0b5
SHA1: b0310d8410d972e6653160557a61c3740a392da7
SHA256: f8f41e0bf9b26685f9f49a646407fda564b61f98fbfc46499113ebfaf04ca409
False
c:\users\ciihmn~1\appdata\local\temp\f58d.tmp 0.01 KB (8 bytes) MD5: 82a4d57805e2c28295c1b84376ec3403
SHA1: 9b8b4271cd9764a98008263488ebde8bf9a0e68b
SHA256: 3de59a36c317e7c0fae4c4aec2d5631570bee33aa9253993883c14fb2da50bcf
False
c:\users\ciihmn~1\appdata\local\temp\f58e.tmp 0.01 KB (8 bytes) MD5: 82a4d57805e2c28295c1b84376ec3403
SHA1: 9b8b4271cd9764a98008263488ebde8bf9a0e68b
SHA256: 3de59a36c317e7c0fae4c4aec2d5631570bee33aa9253993883c14fb2da50bcf
False
c:\users\ciihmn~1\appdata\local\temp\f58f.tmp 0.01 KB (8 bytes) MD5: 82a4d57805e2c28295c1b84376ec3403
SHA1: 9b8b4271cd9764a98008263488ebde8bf9a0e68b
SHA256: 3de59a36c317e7c0fae4c4aec2d5631570bee33aa9253993883c14fb2da50bcf
False
c:\users\ciihmn~1\appdata\local\temp\f590.tmp 0.01 KB (8 bytes) MD5: 82a4d57805e2c28295c1b84376ec3403
SHA1: 9b8b4271cd9764a98008263488ebde8bf9a0e68b
SHA256: 3de59a36c317e7c0fae4c4aec2d5631570bee33aa9253993883c14fb2da50bcf
False
c:\users\ciihmn~1\appdata\local\temp\f5a1.tmp 0.01 KB (8 bytes) MD5: 65bd4174941856c5365044693e566c11
SHA1: 03448f68180ca7416d9353e9c8430b8188253396
SHA256: f36f82223a4a106163c74c0ad620c3047d3cc2cdc0e232801e223e95381d309c
False
c:\users\ciihmn~1\appdata\local\temp\f5a2.tmp 0.01 KB (8 bytes) MD5: 65bd4174941856c5365044693e566c11
SHA1: 03448f68180ca7416d9353e9c8430b8188253396
SHA256: f36f82223a4a106163c74c0ad620c3047d3cc2cdc0e232801e223e95381d309c
False
c:\users\ciihmn~1\appdata\local\temp\f5a3.tmp 0.01 KB (8 bytes) MD5: 65bd4174941856c5365044693e566c11
SHA1: 03448f68180ca7416d9353e9c8430b8188253396
SHA256: f36f82223a4a106163c74c0ad620c3047d3cc2cdc0e232801e223e95381d309c
False
c:\users\ciihmn~1\appdata\local\temp\f5b3.tmp 0.01 KB (8 bytes) MD5: 909c4777c9d2ceee9731b841043461e7
SHA1: 836254f5cbc625d36dcdc47b8574c639efe502ee
SHA256: 5642676307f1b769c607971b10c0cfa559892ae103fe09d5ea636dd2e7d9d01f
False
c:\users\ciihmn~1\appdata\local\temp\f5b4.tmp 0.01 KB (8 bytes) MD5: 909c4777c9d2ceee9731b841043461e7
SHA1: 836254f5cbc625d36dcdc47b8574c639efe502ee
SHA256: 5642676307f1b769c607971b10c0cfa559892ae103fe09d5ea636dd2e7d9d01f
False
c:\users\ciihmn~1\appdata\local\temp\f5b5.tmp 0.01 KB (8 bytes) MD5: 909c4777c9d2ceee9731b841043461e7
SHA1: 836254f5cbc625d36dcdc47b8574c639efe502ee
SHA256: 5642676307f1b769c607971b10c0cfa559892ae103fe09d5ea636dd2e7d9d01f
False
c:\users\ciihmn~1\appdata\local\temp\f5c6.tmp 0.01 KB (8 bytes) MD5: dac45c31e753c98cdfbb9a51edfb4ed1
SHA1: bb0f1154d13a8eb32ab2ea618c6b387761bdf2c7
SHA256: fa5f036fda7fcdfeb8aa05db8ff3ac6b531c448f81eb24a4f57df9709054c5ec
False
c:\users\ciihmn~1\appdata\local\temp\f5c7.tmp 0.01 KB (8 bytes) MD5: dac45c31e753c98cdfbb9a51edfb4ed1
SHA1: bb0f1154d13a8eb32ab2ea618c6b387761bdf2c7
SHA256: fa5f036fda7fcdfeb8aa05db8ff3ac6b531c448f81eb24a4f57df9709054c5ec
False
c:\users\ciihmn~1\appdata\local\temp\f5c8.tmp 0.01 KB (8 bytes) MD5: dac45c31e753c98cdfbb9a51edfb4ed1
SHA1: bb0f1154d13a8eb32ab2ea618c6b387761bdf2c7
SHA256: fa5f036fda7fcdfeb8aa05db8ff3ac6b531c448f81eb24a4f57df9709054c5ec
False
c:\users\ciihmn~1\appdata\local\temp\f5d9.tmp 0.01 KB (8 bytes) MD5: 5d9e27165b41816cfcc8873e8e932017
SHA1: 86df95f8233d001921091452a721280960ed9701
SHA256: 55da333db9d4c95cad23543590530407e1b8613be331be9544ed0a5a74fe8f47
False
c:\users\ciihmn~1\appdata\local\temp\f5e9.tmp 0.01 KB (8 bytes) MD5: 39651cbfc4ba04e334dfc22acb4677aa
SHA1: f9a26317f4b5230acf410efc869e5cedf678243b
SHA256: 8585ea0f33414259b66ecaf5f8704a786967be092f4f9f6cbe3dc837f3833374
False
c:\users\ciihmn~1\appdata\local\temp\f5ea.tmp 0.01 KB (8 bytes) MD5: 39651cbfc4ba04e334dfc22acb4677aa
SHA1: f9a26317f4b5230acf410efc869e5cedf678243b
SHA256: 8585ea0f33414259b66ecaf5f8704a786967be092f4f9f6cbe3dc837f3833374
False
c:\users\ciihmn~1\appdata\local\temp\f5fb.tmp 0.01 KB (8 bytes) MD5: 1eb125acfc4ea168b8f1b26d23e6e14a
SHA1: 802479d5223500d2bcb0d688a12919792c1b7234
SHA256: 7044172508df63cd40967a61aa41ae2c93b5beddaeebfbacbe8320bab5369b4f
False
c:\users\ciihmn~1\appdata\local\temp\f5fc.tmp 0.01 KB (8 bytes) MD5: 1eb125acfc4ea168b8f1b26d23e6e14a
SHA1: 802479d5223500d2bcb0d688a12919792c1b7234
SHA256: 7044172508df63cd40967a61aa41ae2c93b5beddaeebfbacbe8320bab5369b4f
False
c:\users\ciihmn~1\appdata\local\temp\f5fd.tmp 0.01 KB (8 bytes) MD5: 1eb125acfc4ea168b8f1b26d23e6e14a
SHA1: 802479d5223500d2bcb0d688a12919792c1b7234
SHA256: 7044172508df63cd40967a61aa41ae2c93b5beddaeebfbacbe8320bab5369b4f
False
c:\users\ciihmn~1\appdata\local\temp\f60d.tmp 0.01 KB (8 bytes) MD5: d679411f3fa692e6b752155b21d207de
SHA1: 0337b72b2c72bf5c45e9302038d87fe81e026adf
SHA256: 4fb1ecfa8639a9267c67cbe35f87dc80958c06ea9e061b31449169aff6d63faf
False
c:\users\ciihmn~1\appdata\local\temp\f60e.tmp 0.01 KB (8 bytes) MD5: d679411f3fa692e6b752155b21d207de
SHA1: 0337b72b2c72bf5c45e9302038d87fe81e026adf
SHA256: 4fb1ecfa8639a9267c67cbe35f87dc80958c06ea9e061b31449169aff6d63faf
False
c:\users\ciihmn~1\appdata\local\temp\f60f.tmp 0.01 KB (8 bytes) MD5: d679411f3fa692e6b752155b21d207de
SHA1: 0337b72b2c72bf5c45e9302038d87fe81e026adf
SHA256: 4fb1ecfa8639a9267c67cbe35f87dc80958c06ea9e061b31449169aff6d63faf
False
c:\users\ciihmn~1\appdata\local\temp\f610.tmp 0.01 KB (8 bytes) MD5: d679411f3fa692e6b752155b21d207de
SHA1: 0337b72b2c72bf5c45e9302038d87fe81e026adf
SHA256: 4fb1ecfa8639a9267c67cbe35f87dc80958c06ea9e061b31449169aff6d63faf
False
c:\users\ciihmn~1\appdata\local\temp\f621.tmp 0.01 KB (8 bytes) MD5: c434ddec0db61048762ff94721be7089
SHA1: e005a7ef6a8de613bccde48b1ee2a79dc6bb84c5
SHA256: db4e0f1ad6ecb6b825a9c9ba0687efc9038523a0584ab67902c20e2656612ef1
False
c:\users\ciihmn~1\appdata\local\temp\f622.tmp 0.01 KB (8 bytes) MD5: c434ddec0db61048762ff94721be7089
SHA1: e005a7ef6a8de613bccde48b1ee2a79dc6bb84c5
SHA256: db4e0f1ad6ecb6b825a9c9ba0687efc9038523a0584ab67902c20e2656612ef1
False
c:\users\ciihmn~1\appdata\local\temp\f623.tmp 0.01 KB (8 bytes) MD5: c434ddec0db61048762ff94721be7089
SHA1: e005a7ef6a8de613bccde48b1ee2a79dc6bb84c5
SHA256: db4e0f1ad6ecb6b825a9c9ba0687efc9038523a0584ab67902c20e2656612ef1
False
c:\users\ciihmn~1\appdata\local\temp\f634.tmp 0.01 KB (8 bytes) MD5: 44e8b72140c5937b35d5e11930f7894d
SHA1: 8d49dc7f490f9440bc696f6541d77fb475fc823a
SHA256: 940ce76f327c39d19a5736ec21801f09c0f1b02f65fb91fad20dade63ac1916f
False
c:\users\ciihmn~1\appdata\local\temp\f635.tmp 0.01 KB (8 bytes) MD5: 44e8b72140c5937b35d5e11930f7894d
SHA1: 8d49dc7f490f9440bc696f6541d77fb475fc823a
SHA256: 940ce76f327c39d19a5736ec21801f09c0f1b02f65fb91fad20dade63ac1916f
False
c:\users\ciihmn~1\appdata\local\temp\f636.tmp 0.01 KB (8 bytes) MD5: 44e8b72140c5937b35d5e11930f7894d
SHA1: 8d49dc7f490f9440bc696f6541d77fb475fc823a
SHA256: 940ce76f327c39d19a5736ec21801f09c0f1b02f65fb91fad20dade63ac1916f
False
c:\users\ciihmn~1\appdata\local\temp\f637.tmp 0.01 KB (8 bytes) MD5: e6cb259c1703ccdd1197a25dd4942506
SHA1: ddf517ac9febd17ed5f2231aefccc1d03c9b1049
SHA256: fdaf5dbca4e66c9a3bdcd8d821342467ee34d931352acadcb9eef82d8bc73298
False
c:\users\ciihmn~1\appdata\local\temp\f647.tmp 0.01 KB (8 bytes) MD5: e6cb259c1703ccdd1197a25dd4942506
SHA1: ddf517ac9febd17ed5f2231aefccc1d03c9b1049
SHA256: fdaf5dbca4e66c9a3bdcd8d821342467ee34d931352acadcb9eef82d8bc73298
False
c:\users\ciihmn~1\appdata\local\temp\f648.tmp 0.01 KB (8 bytes) MD5: e6cb259c1703ccdd1197a25dd4942506
SHA1: ddf517ac9febd17ed5f2231aefccc1d03c9b1049
SHA256: fdaf5dbca4e66c9a3bdcd8d821342467ee34d931352acadcb9eef82d8bc73298
False
c:\users\ciihmn~1\appdata\local\temp\f649.tmp 0.01 KB (8 bytes) MD5: e6cb259c1703ccdd1197a25dd4942506
SHA1: ddf517ac9febd17ed5f2231aefccc1d03c9b1049
SHA256: fdaf5dbca4e66c9a3bdcd8d821342467ee34d931352acadcb9eef82d8bc73298
False
c:\users\ciihmn~1\appdata\local\temp\f6b8.tmp 0.01 KB (8 bytes) MD5: d9ae701f5dd0b628c625a54059cb9744
SHA1: 49aee81e576bd9dbfba4d2ccf670b594bf53a140
SHA256: 6c4b9203660981bcdcec8d86415f9b4cdbee1c4471a1da2a90d0f8b4a6cd6290
False
c:\users\ciihmn~1\appdata\local\temp\f6c8.tmp 0.01 KB (8 bytes) MD5: c4559a377c8f3401cca201ae5c720ef7
SHA1: 3562ca4504eb475d1b1041998c7dac1318917d40
SHA256: 0cb503a6c00617b3243aade53619796743a68a841325b68bdb34d2248164e300
False
c:\users\ciihmn~1\appdata\local\temp\f6c9.tmp 0.01 KB (8 bytes) MD5: c4559a377c8f3401cca201ae5c720ef7
SHA1: 3562ca4504eb475d1b1041998c7dac1318917d40
SHA256: 0cb503a6c00617b3243aade53619796743a68a841325b68bdb34d2248164e300
False
c:\users\ciihmn~1\appdata\local\temp\f6da.tmp 0.01 KB (8 bytes) MD5: 3d47d77bc99f5fe1d95276a04cce1137
SHA1: ed18709babbec5fdbddf0dd8aabb12bf68fea721
SHA256: d07a04edff9dc3e382e4852c5af20f3fc0d8aa10e925a89c38c4d555fd4f9f78
False
c:\users\ciihmn~1\appdata\local\temp\f6db.tmp 0.01 KB (8 bytes) MD5: 3d47d77bc99f5fe1d95276a04cce1137
SHA1: ed18709babbec5fdbddf0dd8aabb12bf68fea721
SHA256: d07a04edff9dc3e382e4852c5af20f3fc0d8aa10e925a89c38c4d555fd4f9f78
False
c:\users\ciihmn~1\appdata\local\temp\f6dc.tmp 0.01 KB (8 bytes) MD5: 3d47d77bc99f5fe1d95276a04cce1137
SHA1: ed18709babbec5fdbddf0dd8aabb12bf68fea721
SHA256: d07a04edff9dc3e382e4852c5af20f3fc0d8aa10e925a89c38c4d555fd4f9f78
False
c:\users\ciihmn~1\appdata\local\temp\f6ed.tmp 0.01 KB (8 bytes) MD5: 9eb625764eff9a5f53568df532d096ed
SHA1: d10090a0b0ad3cf65d7bf341298295b93c75213b
SHA256: 5d14c595d307d37561310fc179766d170422b1cdf39cdca4e25e2d0153f92cb3
False
c:\users\ciihmn~1\appdata\local\temp\f6ee.tmp 0.01 KB (8 bytes) MD5: 9eb625764eff9a5f53568df532d096ed
SHA1: d10090a0b0ad3cf65d7bf341298295b93c75213b
SHA256: 5d14c595d307d37561310fc179766d170422b1cdf39cdca4e25e2d0153f92cb3
False
c:\users\ciihmn~1\appdata\local\temp\f6fe.tmp 0.01 KB (8 bytes) MD5: b5efbbd58f1dbb99e7fa14062ac32059
SHA1: 77fa96cf44e3939971ca3b9342b7b6c62c508187
SHA256: a7233f7c8b8a2957d37230ab75c25294696b7799ef4e5501ca51609331aa6a8e
False
c:\users\ciihmn~1\appdata\local\temp\f6ff.tmp 0.01 KB (8 bytes) MD5: b5efbbd58f1dbb99e7fa14062ac32059
SHA1: 77fa96cf44e3939971ca3b9342b7b6c62c508187
SHA256: a7233f7c8b8a2957d37230ab75c25294696b7799ef4e5501ca51609331aa6a8e
False
c:\users\ciihmn~1\appdata\local\temp\f700.tmp 0.01 KB (8 bytes) MD5: b5efbbd58f1dbb99e7fa14062ac32059
SHA1: 77fa96cf44e3939971ca3b9342b7b6c62c508187
SHA256: a7233f7c8b8a2957d37230ab75c25294696b7799ef4e5501ca51609331aa6a8e
False
c:\users\ciihmn~1\appdata\local\temp\f701.tmp 0.01 KB (8 bytes) MD5: e26e61abc079fd0947f6a6a8b92eb4a7
SHA1: 7f76ab35199a93d5e2c0e6fdb557f3307278241a
SHA256: f808fc0bccf2dff452da42c01e07725c2da632190bd91a5f6c6699cc91fdeb3f
False
c:\users\ciihmn~1\appdata\local\temp\f712.tmp 0.01 KB (8 bytes) MD5: e26e61abc079fd0947f6a6a8b92eb4a7
SHA1: 7f76ab35199a93d5e2c0e6fdb557f3307278241a
SHA256: f808fc0bccf2dff452da42c01e07725c2da632190bd91a5f6c6699cc91fdeb3f
False
c:\users\ciihmn~1\appdata\local\temp\f722.tmp 0.01 KB (8 bytes) MD5: 4d65fe16cac0bcd7260a56a45bcf8f5d
SHA1: f62d92c1bc87085916fe4e42952634f38083f67b
SHA256: 8e804af1c8c68413dbc3bf40dc1b88ac1a6e5d545d07262995317429e3befeb6
False
c:\users\ciihmn~1\appdata\local\temp\f723.tmp 0.01 KB (8 bytes) MD5: 4d65fe16cac0bcd7260a56a45bcf8f5d
SHA1: f62d92c1bc87085916fe4e42952634f38083f67b
SHA256: 8e804af1c8c68413dbc3bf40dc1b88ac1a6e5d545d07262995317429e3befeb6
False
c:\users\ciihmn~1\appdata\local\temp\f724.tmp 0.01 KB (8 bytes) MD5: 4d65fe16cac0bcd7260a56a45bcf8f5d
SHA1: f62d92c1bc87085916fe4e42952634f38083f67b
SHA256: 8e804af1c8c68413dbc3bf40dc1b88ac1a6e5d545d07262995317429e3befeb6
False
c:\users\ciihmn~1\appdata\local\temp\f725.tmp 0.01 KB (8 bytes) MD5: 4d65fe16cac0bcd7260a56a45bcf8f5d
SHA1: f62d92c1bc87085916fe4e42952634f38083f67b
SHA256: 8e804af1c8c68413dbc3bf40dc1b88ac1a6e5d545d07262995317429e3befeb6
False
c:\users\ciihmn~1\appdata\local\temp\f736.tmp 0.01 KB (8 bytes) MD5: f8afc9c6812316cec7696bb2a37678a3
SHA1: aaf7be35be5cc96b7b25100d4ab1b49f53752284
SHA256: 90624a7ba75f055bed571c30352161717c67572d7623e8936c9989b930990696
False
c:\users\ciihmn~1\appdata\local\temp\f737.tmp 0.01 KB (8 bytes) MD5: f8afc9c6812316cec7696bb2a37678a3
SHA1: aaf7be35be5cc96b7b25100d4ab1b49f53752284
SHA256: 90624a7ba75f055bed571c30352161717c67572d7623e8936c9989b930990696
False
c:\users\ciihmn~1\appdata\local\temp\f738.tmp 0.01 KB (8 bytes) MD5: f8afc9c6812316cec7696bb2a37678a3
SHA1: aaf7be35be5cc96b7b25100d4ab1b49f53752284
SHA256: 90624a7ba75f055bed571c30352161717c67572d7623e8936c9989b930990696
False
c:\users\ciihmn~1\appdata\local\temp\f749.tmp 0.01 KB (8 bytes) MD5: c42ccc8f7fbc68f572190e4e1572d7de
SHA1: c237aac1bfdd06bbfeb577aaa3edc0d5e763d198
SHA256: 68dc58bf8e170ef3616394c060f41602c6bff4ebd2bdf8225dc24c20832d9068
False
c:\users\ciihmn~1\appdata\local\temp\f74a.tmp 0.01 KB (8 bytes) MD5: c42ccc8f7fbc68f572190e4e1572d7de
SHA1: c237aac1bfdd06bbfeb577aaa3edc0d5e763d198
SHA256: 68dc58bf8e170ef3616394c060f41602c6bff4ebd2bdf8225dc24c20832d9068
False
c:\users\ciihmn~1\appdata\local\temp\f75a.tmp 0.01 KB (8 bytes) MD5: 1465f646c10c7a837ad269d7406b7648
SHA1: 2127e787799c9e7d732630fc4dfb1ea4d0617aad
SHA256: 18c80ffadcc8321911f11ad7c61f13d1be11378edcceb69494fe84a366393896
False
c:\users\ciihmn~1\appdata\local\temp\f75b.tmp 0.01 KB (8 bytes) MD5: 1465f646c10c7a837ad269d7406b7648
SHA1: 2127e787799c9e7d732630fc4dfb1ea4d0617aad
SHA256: 18c80ffadcc8321911f11ad7c61f13d1be11378edcceb69494fe84a366393896
False
c:\users\ciihmn~1\appdata\local\temp\f75c.tmp 0.01 KB (8 bytes) MD5: 1465f646c10c7a837ad269d7406b7648
SHA1: 2127e787799c9e7d732630fc4dfb1ea4d0617aad
SHA256: 18c80ffadcc8321911f11ad7c61f13d1be11378edcceb69494fe84a366393896
False
c:\users\ciihmn~1\appdata\local\temp\f77d.tmp 0.01 KB (8 bytes) MD5: bcce097053a3f275ce63b83cc9003344
SHA1: 940b3f697a8db360b6583033e24b09217e81b226
SHA256: d7d4ea3fb166395e6967e5f2aeb2a9099cd58fc3c0bd5c4c2b02f9876411c6f4
False
c:\users\ciihmn~1\appdata\local\temp\f77e.tmp 0.01 KB (8 bytes) MD5: bcce097053a3f275ce63b83cc9003344
SHA1: 940b3f697a8db360b6583033e24b09217e81b226
SHA256: d7d4ea3fb166395e6967e5f2aeb2a9099cd58fc3c0bd5c4c2b02f9876411c6f4
False
c:\users\ciihmn~1\appdata\local\temp\f78e.tmp 0.01 KB (8 bytes) MD5: 2772d0360800271925bf506615111529
SHA1: ae6369b1f7b9a6b43c7cdbaf3245e8f1f54fd0e3
SHA256: 159758f584f37f9f1f2b5317516c5a55814a2532cd4014a3f6b580d7d42b8b42
False
c:\users\ciihmn~1\appdata\local\temp\f78f.tmp 0.01 KB (8 bytes) MD5: 2772d0360800271925bf506615111529
SHA1: ae6369b1f7b9a6b43c7cdbaf3245e8f1f54fd0e3
SHA256: 159758f584f37f9f1f2b5317516c5a55814a2532cd4014a3f6b580d7d42b8b42
False
c:\users\ciihmn~1\appdata\local\temp\f790.tmp 0.01 KB (8 bytes) MD5: 2772d0360800271925bf506615111529
SHA1: ae6369b1f7b9a6b43c7cdbaf3245e8f1f54fd0e3
SHA256: 159758f584f37f9f1f2b5317516c5a55814a2532cd4014a3f6b580d7d42b8b42
False
c:\users\ciihmn~1\appdata\local\temp\f7a1.tmp 0.01 KB (8 bytes) MD5: 2677f86fc97191cfdcf4df7911e67aaa
SHA1: 96f634f884f15734c7288f84f3b2d75ee84a3b68
SHA256: 5189b0d164dcaf3e4cc07d9401f77ec50cc9fc77957fff4acc1c7aa374a3d584
False
c:\users\ciihmn~1\appdata\local\temp\f7b1.tmp 0.01 KB (8 bytes) MD5: f0c25a3aa9b0acff64a2af4b9cf1afd3
SHA1: c42fcede3a7f5920d2cfa0a2a3ee3e1348f1779e
SHA256: 4a0e739848ed9baf99b6ac33eff9047b483488bbaf9039c7d996eb9e1752fe6f
False
c:\users\ciihmn~1\appdata\local\temp\f7c2.tmp 0.01 KB (8 bytes) MD5: 1948b9f403d68cd6844908aabcc5c939
SHA1: 67e3f5a917854dd20c1f7cd6ec9848514967ba58
SHA256: 8522cb0c4505729ace062d2b3c3647447ef8fbf03a1e9c5f1acc638bf78cff5b
False
c:\users\ciihmn~1\appdata\local\temp\f7c3.tmp 0.01 KB (8 bytes) MD5: 1948b9f403d68cd6844908aabcc5c939
SHA1: 67e3f5a917854dd20c1f7cd6ec9848514967ba58
SHA256: 8522cb0c4505729ace062d2b3c3647447ef8fbf03a1e9c5f1acc638bf78cff5b
False
c:\users\ciihmn~1\appdata\local\temp\f7d4.tmp 0.01 KB (8 bytes) MD5: bd51cab61855f9d12f4d77bc8385e650
SHA1: 2b6c410e14106ae324de9ebd37a3f50ef2116bb0
SHA256: 4901e09aaca43a2224b3d3ab32d7bfb8aa2811168c7c56e847450c90977ff47c
False
c:\users\ciihmn~1\appdata\local\temp\f7d5.tmp 0.01 KB (8 bytes) MD5: bd51cab61855f9d12f4d77bc8385e650
SHA1: 2b6c410e14106ae324de9ebd37a3f50ef2116bb0
SHA256: 4901e09aaca43a2224b3d3ab32d7bfb8aa2811168c7c56e847450c90977ff47c
False
c:\users\ciihmn~1\appdata\local\temp\f7e5.tmp 0.01 KB (8 bytes) MD5: db556c7c5654a84643530888819e14fa
SHA1: 02c237a4065b907e3f5633d14ed2eb3724d15a7c
SHA256: 45ec52e9a1b57b459fec2e02f20ee3e068b84a29ce3879f504d41ed2bec6e2f7
False
c:\users\ciihmn~1\appdata\local\temp\f806.tmp 0.01 KB (8 bytes) MD5: 0b35b5699bddbc69989221709be7da6f
SHA1: 5c0a221bea8809640159e961559f2581fc57c7ae
SHA256: 5d9a9fb8e5859dbd9b32a5ab686bd912418accdfb41a8d92066e314a0a12cdd4
False
c:\users\ciihmn~1\appdata\local\temp\f816.tmp 0.01 KB (8 bytes) MD5: f036b8921890b0d10f00a5bf5bdec729
SHA1: be34e2dd32efe37497f5edcc21d63c56bdc8c9a2
SHA256: 586b668ed7a5c3b8adbf7304f8d0ba1e81b7f6db1c8e28f36cf0d84cdb496085
False
c:\users\ciihmn~1\appdata\local\temp\f827.tmp 0.01 KB (8 bytes) MD5: 34f91cc086c33b49dd108f5b14450c89
SHA1: e6bed0a0920ac06a427b3bc6a3243128a7eb50a9
SHA256: 28df75a9d1d3bbfd16bc948c6efe745cdba2d547b02b6f075ca9b8d3f3f26e29
False
c:\users\ciihmn~1\appdata\local\temp\f837.tmp 0.01 KB (8 bytes) MD5: 5d788fedeae6f1d83c718b993aaf0edd
SHA1: ff657760b607416f954c0d0f02cd4081f1bf8884
SHA256: 38dd54a874e8468282ba8fda9eb499c8c9279e5ecbcfdee55be0059a1c9c4fac
False
c:\users\ciihmn~1\appdata\local\temp\f838.tmp 0.01 KB (8 bytes) MD5: 5d788fedeae6f1d83c718b993aaf0edd
SHA1: ff657760b607416f954c0d0f02cd4081f1bf8884
SHA256: 38dd54a874e8468282ba8fda9eb499c8c9279e5ecbcfdee55be0059a1c9c4fac
False
c:\users\ciihmn~1\appdata\local\temp\f849.tmp 0.01 KB (8 bytes) MD5: e7afa0433ffd6793611c0a074ae02376
SHA1: 81765b7c10b940e6b6a118e2c4830b581485ca05
SHA256: d356cc8eb66171878f6a4055f83203f1ee1de244eb98f46917db817182bed6a5
False
c:\users\ciihmn~1\appdata\local\temp\f84a.tmp 0.01 KB (8 bytes) MD5: e7afa0433ffd6793611c0a074ae02376
SHA1: 81765b7c10b940e6b6a118e2c4830b581485ca05
SHA256: d356cc8eb66171878f6a4055f83203f1ee1de244eb98f46917db817182bed6a5
False
c:\users\ciihmn~1\appdata\local\temp\f84b.tmp 0.01 KB (8 bytes) MD5: e7afa0433ffd6793611c0a074ae02376
SHA1: 81765b7c10b940e6b6a118e2c4830b581485ca05
SHA256: d356cc8eb66171878f6a4055f83203f1ee1de244eb98f46917db817182bed6a5
False
c:\users\ciihmn~1\appdata\local\temp\f85c.tmp 0.01 KB (8 bytes) MD5: 73b3446145b1a005af670273cae6c659
SHA1: 1a5f91c6abd1921fdc318aee04047214c53b7728
SHA256: 2e0cb62b2237bf00fc5d0cac237814459bc1a8c55af3a8322a516be603f607b7
False
c:\users\ciihmn~1\appdata\local\temp\f86c.tmp 0.01 KB (8 bytes) MD5: 53b31cba57364071f0b92fde987dbb3d
SHA1: 5ce79151e953a2e7274fed831cbbad2172425346
SHA256: c8d9a97dda600fdc3fd84b54389f23829622ab669cc670f6f1b38726dc8b0566
False
c:\users\ciihmn~1\appdata\local\temp\f86d.tmp 0.01 KB (8 bytes) MD5: 53b31cba57364071f0b92fde987dbb3d
SHA1: 5ce79151e953a2e7274fed831cbbad2172425346
SHA256: c8d9a97dda600fdc3fd84b54389f23829622ab669cc670f6f1b38726dc8b0566
False
c:\users\ciihmn~1\appdata\local\temp\f89d.tmp 0.01 KB (8 bytes) MD5: 95da43c0275776c1345d8855df05c984
SHA1: 58ee37d07d867952be28228ea30697d807db2114
SHA256: 42904201e2d09103766321fa614bd05f4a00c54de19288f8aff55e05ea5d6a70
False
c:\users\ciihmn~1\appdata\local\temp\f89e.tmp 0.01 KB (8 bytes) MD5: 95da43c0275776c1345d8855df05c984
SHA1: 58ee37d07d867952be28228ea30697d807db2114
SHA256: 42904201e2d09103766321fa614bd05f4a00c54de19288f8aff55e05ea5d6a70
False
c:\users\ciihmn~1\appdata\local\temp\f89f.tmp 0.01 KB (8 bytes) MD5: a09268114b4cb6df8a6767265fa71727
SHA1: b51ae0ee85cbeb67a4aa34a88bcbb8aa174c6221
SHA256: 4341640a4f141d3a35ab3c57580e1d2c9f71e3442ede2896bbf72f07968b3766
False
c:\users\ciihmn~1\appdata\local\temp\f8cf.tmp 0.01 KB (8 bytes) MD5: c1e7b3719d3e604334d4ea5170a9da97
SHA1: 814555207667f27a53e2e8a503c560032c132172
SHA256: aa09ad35144137e416e44096a8b9c5f5053673e504744d69a28ab53539de015c
False
c:\users\ciihmn~1\appdata\local\temp\f8e0.tmp 0.01 KB (8 bytes) MD5: ad613ffd617822549d6c82e66c06dd4c
SHA1: 4bd9d96d580efbdc14c7a2c24fa3403fbee0faec
SHA256: df541758b76999b1786e35e3c6f9afab27889d377e60f31b21cea992d2cf3fc6
False
c:\users\ciihmn~1\appdata\local\temp\f8f0.tmp 0.01 KB (8 bytes) MD5: c9d7caaccde02d9cbe0f9af60d6827dc
SHA1: 95a6a85dc88f99e224cf7a6fef66214033274a22
SHA256: 624b42c6e21d8e6392d494035eb838afc665f04bf8154cbebd3f99eab87a8777
False
c:\users\ciihmn~1\appdata\local\temp\f8f1.tmp 0.01 KB (8 bytes) MD5: c9d7caaccde02d9cbe0f9af60d6827dc
SHA1: 95a6a85dc88f99e224cf7a6fef66214033274a22
SHA256: 624b42c6e21d8e6392d494035eb838afc665f04bf8154cbebd3f99eab87a8777
False
c:\users\ciihmn~1\appdata\local\temp\f902.tmp 0.01 KB (8 bytes) MD5: e483e583f1511325f2fa9904bb27fa70
SHA1: 4cd5bdd3a2fe1eec6fa520609fed4def59fd727f
SHA256: 8226ebf822344f196d7f95a18bf20c7803664fa10947a9b73a8ef71083b33ad2
False
c:\users\ciihmn~1\appdata\local\temp\f903.tmp 0.01 KB (8 bytes) MD5: e483e583f1511325f2fa9904bb27fa70
SHA1: 4cd5bdd3a2fe1eec6fa520609fed4def59fd727f
SHA256: 8226ebf822344f196d7f95a18bf20c7803664fa10947a9b73a8ef71083b33ad2
False
c:\users\ciihmn~1\appdata\local\temp\f914.tmp 0.01 KB (8 bytes) MD5: dd1e78498286fe8b7914235fbfe4772a
SHA1: fb9888908deb70127878642bd1b74e5817873dc8
SHA256: 157c5610fdba420b1bcd3f2bf7a2dbaa541da0a951f077471f5b0024ec858d6e
False
c:\users\ciihmn~1\appdata\local\temp\f915.tmp 0.01 KB (8 bytes) MD5: dd1e78498286fe8b7914235fbfe4772a
SHA1: fb9888908deb70127878642bd1b74e5817873dc8
SHA256: 157c5610fdba420b1bcd3f2bf7a2dbaa541da0a951f077471f5b0024ec858d6e
False
c:\users\ciihmn~1\appdata\local\temp\f916.tmp 0.01 KB (8 bytes) MD5: dd1e78498286fe8b7914235fbfe4772a
SHA1: fb9888908deb70127878642bd1b74e5817873dc8
SHA256: 157c5610fdba420b1bcd3f2bf7a2dbaa541da0a951f077471f5b0024ec858d6e
False
c:\users\ciihmn~1\appdata\local\temp\f926.tmp 0.01 KB (8 bytes) MD5: b0e57fcf3eb588d105106b90168b352c
SHA1: ee62a235a427b229dfbeb59ff0c66e891b1ea9fc
SHA256: 99e24199c9a832f4839c7e5c749dc99d2ef728004c42a30c6896edd5ada9a466
False
c:\users\ciihmn~1\appdata\local\temp\f927.tmp 0.01 KB (8 bytes) MD5: b0e57fcf3eb588d105106b90168b352c
SHA1: ee62a235a427b229dfbeb59ff0c66e891b1ea9fc
SHA256: 99e24199c9a832f4839c7e5c749dc99d2ef728004c42a30c6896edd5ada9a466
False
c:\users\ciihmn~1\appdata\local\temp\f928.tmp 0.01 KB (8 bytes) MD5: b0e57fcf3eb588d105106b90168b352c
SHA1: ee62a235a427b229dfbeb59ff0c66e891b1ea9fc
SHA256: 99e24199c9a832f4839c7e5c749dc99d2ef728004c42a30c6896edd5ada9a466
False
c:\users\ciihmn~1\appdata\local\temp\f939.tmp 0.01 KB (8 bytes) MD5: 6779791e5c451ee29f3f08eeecbdf3f1
SHA1: 0d10e85482ca5dfeaef1dccd914da033aaf479eb
SHA256: 34bc853f027d1404caec15171d9d51a5e79f6ef0a423b7bbda419e71d6750288
False
c:\users\ciihmn~1\appdata\local\temp\f93a.tmp 0.01 KB (8 bytes) MD5: 6779791e5c451ee29f3f08eeecbdf3f1
SHA1: 0d10e85482ca5dfeaef1dccd914da033aaf479eb
SHA256: 34bc853f027d1404caec15171d9d51a5e79f6ef0a423b7bbda419e71d6750288
False
c:\users\ciihmn~1\appdata\local\temp\f94a.tmp 0.01 KB (8 bytes) MD5: b04c67deab4025f734171f9b27454cbe
SHA1: a36bb54f7d0f7545656de9e1a5d5efc9475f6a30
SHA256: 71127f5ad12f0455cabb4dc16456a9ea5004c3686b2c366961b59c5dac0f35ae
False
c:\users\ciihmn~1\appdata\local\temp\f96b.tmp 0.01 KB (8 bytes) MD5: f19a90ae7e669a69bff86c46ea7815da
SHA1: 1994848ee4007ab80507cec3a98864d3214e9691
SHA256: a6af512d23f2e48b9184b61e0bfb9f9fc355d743e9fd10cbc97aeba44a27005b
False
c:\users\ciihmn~1\appdata\local\temp\f96c.tmp 0.01 KB (8 bytes) MD5: 03dbace4773f49af413532681a14eec1
SHA1: bd48ed36b583498d83f67b28dcb029354af96ef3
SHA256: 59c055358a9142b72e21a30eb0492ce9af9cfbf4189768c8eca4d48f71029bc0
False
c:\users\ciihmn~1\appdata\local\temp\f96d.tmp 0.01 KB (8 bytes) MD5: 03dbace4773f49af413532681a14eec1
SHA1: bd48ed36b583498d83f67b28dcb029354af96ef3
SHA256: 59c055358a9142b72e21a30eb0492ce9af9cfbf4189768c8eca4d48f71029bc0
False
c:\users\ciihmn~1\appdata\local\temp\f98d.tmp 0.01 KB (8 bytes) MD5: 741a7dea8e76eb32e7142675d554f22b
SHA1: 6b605107d3827f9c9ffd4029b72ccdd72628cdc2
SHA256: 8007de0dbdecff7d678e651c68a0b12b0dc20651fcdb628fc090c3084afeadd3
False
c:\users\ciihmn~1\appdata\local\temp\f98e.tmp 0.01 KB (8 bytes) MD5: 741a7dea8e76eb32e7142675d554f22b
SHA1: 6b605107d3827f9c9ffd4029b72ccdd72628cdc2
SHA256: 8007de0dbdecff7d678e651c68a0b12b0dc20651fcdb628fc090c3084afeadd3
False
c:\users\ciihmn~1\appdata\local\temp\f99f.tmp 0.01 KB (8 bytes) MD5: 897a33741143f50b74704df8eec736d9
SHA1: 526a435f2efd108412d4088b073cabfeef22bac9
SHA256: bc7df27c00dd642509782a90f9d1b9dea55de8234d9de3890bd72c5f62ed56da
False
c:\users\ciihmn~1\appdata\local\temp\f9a0.tmp 0.01 KB (8 bytes) MD5: 897a33741143f50b74704df8eec736d9
SHA1: 526a435f2efd108412d4088b073cabfeef22bac9
SHA256: bc7df27c00dd642509782a90f9d1b9dea55de8234d9de3890bd72c5f62ed56da
False
c:\users\ciihmn~1\appdata\local\temp\f9c0.tmp 0.01 KB (8 bytes) MD5: c32740bd78c0eda34b5e1272188e4bbe
SHA1: a5cc6a17b4a4e1ad7e0ea976d5989bbe2df6ba9a
SHA256: dc2dba534fc133d5c92dd22761408da96ce04131d96f35f6808fd2dc21bb7374
False
c:\users\ciihmn~1\appdata\local\temp\f9c1.tmp 0.01 KB (8 bytes) MD5: c32740bd78c0eda34b5e1272188e4bbe
SHA1: a5cc6a17b4a4e1ad7e0ea976d5989bbe2df6ba9a
SHA256: dc2dba534fc133d5c92dd22761408da96ce04131d96f35f6808fd2dc21bb7374
False
c:\users\ciihmn~1\appdata\local\temp\f9c2.tmp 0.01 KB (8 bytes) MD5: c32740bd78c0eda34b5e1272188e4bbe
SHA1: a5cc6a17b4a4e1ad7e0ea976d5989bbe2df6ba9a
SHA256: dc2dba534fc133d5c92dd22761408da96ce04131d96f35f6808fd2dc21bb7374
False
c:\users\ciihmn~1\appdata\local\temp\f9d2.tmp 0.01 KB (8 bytes) MD5: 7bfacda96d83ac7a5eab6029ed31d8d3
SHA1: 2b648c326cc2b2ee0a9f1cc4618d82ad1931571f
SHA256: 6e4a86d543899fe2a0739fd7395794ed3f485f157b40dc2ca93817e3b604b913
False
c:\users\ciihmn~1\appdata\local\temp\f9d3.tmp 0.01 KB (8 bytes) MD5: 7bfacda96d83ac7a5eab6029ed31d8d3
SHA1: 2b648c326cc2b2ee0a9f1cc4618d82ad1931571f
SHA256: 6e4a86d543899fe2a0739fd7395794ed3f485f157b40dc2ca93817e3b604b913
False
c:\users\ciihmn~1\appdata\local\temp\f9d4.tmp 0.01 KB (8 bytes) MD5: 7bfacda96d83ac7a5eab6029ed31d8d3
SHA1: 2b648c326cc2b2ee0a9f1cc4618d82ad1931571f
SHA256: 6e4a86d543899fe2a0739fd7395794ed3f485f157b40dc2ca93817e3b604b913
False
c:\users\ciihmn~1\appdata\local\temp\f9e5.tmp 0.01 KB (8 bytes) MD5: 8ac380e6de1059d479390edacc24a177
SHA1: fd26c908afa389126339d2688cfe38988c66d52d
SHA256: 4f2143552d67291e7516198a09565806a4bd7c6ed70f8ed7f6f70326e54db657
False
c:\users\ciihmn~1\appdata\local\temp\f9e6.tmp 0.01 KB (8 bytes) MD5: 8ac380e6de1059d479390edacc24a177
SHA1: fd26c908afa389126339d2688cfe38988c66d52d
SHA256: 4f2143552d67291e7516198a09565806a4bd7c6ed70f8ed7f6f70326e54db657
False
c:\users\ciihmn~1\appdata\local\temp\f9f7.tmp 0.01 KB (8 bytes) MD5: 125843ec029a307caee53b4425fbd0e3
SHA1: 05789d4895e3a75820e0f1e1a219abbb8f3755ec
SHA256: 41350403f48627cc9cb7443ba08ddaf9e285945ec92ce302c10cb17d836a900c
False
c:\users\ciihmn~1\appdata\local\temp\fa07.tmp 0.01 KB (8 bytes) MD5: 32bc58962b0017f1042a028ce6cd759c
SHA1: e857327c6c51dfd5f689e8703d9ab1292cedf6d6
SHA256: 09cd28b840d6944ed8ebb3b83a724556f693e4e08237ff5ce84c0d20ba24675b
False
c:\users\ciihmn~1\appdata\local\temp\fa08.tmp 0.01 KB (8 bytes) MD5: 32bc58962b0017f1042a028ce6cd759c
SHA1: e857327c6c51dfd5f689e8703d9ab1292cedf6d6
SHA256: 09cd28b840d6944ed8ebb3b83a724556f693e4e08237ff5ce84c0d20ba24675b
False
c:\users\ciihmn~1\appdata\local\temp\fa09.tmp 0.01 KB (8 bytes) MD5: 32bc58962b0017f1042a028ce6cd759c
SHA1: e857327c6c51dfd5f689e8703d9ab1292cedf6d6
SHA256: 09cd28b840d6944ed8ebb3b83a724556f693e4e08237ff5ce84c0d20ba24675b
False
c:\users\ciihmn~1\appdata\local\temp\fa0a.tmp 0.01 KB (8 bytes) MD5: 32bc58962b0017f1042a028ce6cd759c
SHA1: e857327c6c51dfd5f689e8703d9ab1292cedf6d6
SHA256: 09cd28b840d6944ed8ebb3b83a724556f693e4e08237ff5ce84c0d20ba24675b
False
c:\users\ciihmn~1\appdata\local\temp\fa1b.tmp 0.01 KB (8 bytes) MD5: c861afd8ab2c119e747b9038121efbd4
SHA1: e4ef07dbdf70890a1ea1f4ce8c70ca3591809e3b
SHA256: f44eb347a2110f8913a5ed5c5e9924f7a631103eb659a1b5b4e5dc35938d0b45
False
c:\users\ciihmn~1\appdata\local\temp\fa2c.tmp 0.01 KB (8 bytes) MD5: 5c8edf47a392abb29245c0e97c788d2a
SHA1: c8c9e10829621d8a837d039bbbc0ae90bf56f3df
SHA256: fce9e4ccb87999fb59ee2e263f81df07f922388a0dbf4287833a5289c4d992b3
False
c:\users\ciihmn~1\appdata\local\temp\fa2d.tmp 0.01 KB (8 bytes) MD5: 5c8edf47a392abb29245c0e97c788d2a
SHA1: c8c9e10829621d8a837d039bbbc0ae90bf56f3df
SHA256: fce9e4ccb87999fb59ee2e263f81df07f922388a0dbf4287833a5289c4d992b3
False
c:\users\ciihmn~1\appdata\local\temp\fa2e.tmp 0.01 KB (8 bytes) MD5: 5c8edf47a392abb29245c0e97c788d2a
SHA1: c8c9e10829621d8a837d039bbbc0ae90bf56f3df
SHA256: fce9e4ccb87999fb59ee2e263f81df07f922388a0dbf4287833a5289c4d992b3
False
c:\users\ciihmn~1\appdata\local\temp\fa3e.tmp 0.01 KB (8 bytes) MD5: ad92c5adef9404e652c1be24d9595274
SHA1: daef89630ad3aa8530b2d78ddd5a3839655ee87f
SHA256: 38e33077367c38f9ec31aa9cf565a8cf75989237bbafe13fd01b4e34f12d2873
False
c:\users\ciihmn~1\appdata\local\temp\fa3f.tmp 0.01 KB (8 bytes) MD5: ad92c5adef9404e652c1be24d9595274
SHA1: daef89630ad3aa8530b2d78ddd5a3839655ee87f
SHA256: 38e33077367c38f9ec31aa9cf565a8cf75989237bbafe13fd01b4e34f12d2873
False
c:\users\ciihmn~1\appdata\local\temp\fa50.tmp 0.01 KB (8 bytes) MD5: ed0ea0131bd1863d91c1615d80148e0b
SHA1: 201e52a437c5b55eaf17ee2d2685ef39e4e77310
SHA256: e063b195f6b560352ca55d6b39967e1601c3b18ab9264069d844120ad6798bf7
False
c:\users\ciihmn~1\appdata\local\temp\fa51.tmp 0.01 KB (8 bytes) MD5: ed0ea0131bd1863d91c1615d80148e0b
SHA1: 201e52a437c5b55eaf17ee2d2685ef39e4e77310
SHA256: e063b195f6b560352ca55d6b39967e1601c3b18ab9264069d844120ad6798bf7
False
c:\users\ciihmn~1\appdata\local\temp\fa52.tmp 0.01 KB (8 bytes) MD5: adb1ec5b8fff0370b151c026632030f2
SHA1: 1d513be75293975e4281946cd43c72c46f79605e
SHA256: 0e6f743e28b5364aecef7a7a1f029993567f93edf44b36f3c98953df7c74fbee
False
c:\users\ciihmn~1\appdata\local\temp\fa62.tmp 0.01 KB (8 bytes) MD5: adb1ec5b8fff0370b151c026632030f2
SHA1: 1d513be75293975e4281946cd43c72c46f79605e
SHA256: 0e6f743e28b5364aecef7a7a1f029993567f93edf44b36f3c98953df7c74fbee
False
c:\users\ciihmn~1\appdata\local\temp\fa63.tmp 0.01 KB (8 bytes) MD5: adb1ec5b8fff0370b151c026632030f2
SHA1: 1d513be75293975e4281946cd43c72c46f79605e
SHA256: 0e6f743e28b5364aecef7a7a1f029993567f93edf44b36f3c98953df7c74fbee
False
c:\users\ciihmn~1\appdata\local\temp\fa74.tmp 0.01 KB (8 bytes) MD5: 288eb2692b7d4dabd18b3cd550d15b5e
SHA1: a742c56e5c9f1c78535a2d5c3d1b512ecc903701
SHA256: 63052ebdc0c14a1f49a392276d6846fede6bce315e1c4787d62da9d1a64cecd5
False
c:\users\ciihmn~1\appdata\local\temp\fa85.tmp 0.01 KB (8 bytes) MD5: 138f3113f76d726288c4e978cb0413f2
SHA1: 611ca0828647b0ac4ea3bcd22f3c28686824a101
SHA256: 573fd261ce7b58332e9f24a7c4a17d2224e3d0d4c48941e5e03297a7d305f35b
False
c:\users\ciihmn~1\appdata\local\temp\fa86.tmp 0.01 KB (8 bytes) MD5: 138f3113f76d726288c4e978cb0413f2
SHA1: 611ca0828647b0ac4ea3bcd22f3c28686824a101
SHA256: 573fd261ce7b58332e9f24a7c4a17d2224e3d0d4c48941e5e03297a7d305f35b
False
c:\users\ciihmn~1\appdata\local\temp\fa96.tmp 0.01 KB (8 bytes) MD5: 418548d74f249fbcc5f08511e5c7bb56
SHA1: b751b27e5a560d2973a7432be8e37d02686faf24
SHA256: 146953e94da698ad13f60d6002476e2ee28273caff5ab17f059f1d9b97054b2c
False
c:\users\ciihmn~1\appdata\local\temp\fa97.tmp 0.01 KB (8 bytes) MD5: 418548d74f249fbcc5f08511e5c7bb56
SHA1: b751b27e5a560d2973a7432be8e37d02686faf24
SHA256: 146953e94da698ad13f60d6002476e2ee28273caff5ab17f059f1d9b97054b2c
False
c:\users\ciihmn~1\appdata\local\temp\fa98.tmp 0.01 KB (8 bytes) MD5: 418548d74f249fbcc5f08511e5c7bb56
SHA1: b751b27e5a560d2973a7432be8e37d02686faf24
SHA256: 146953e94da698ad13f60d6002476e2ee28273caff5ab17f059f1d9b97054b2c
False
c:\users\ciihmn~1\appdata\local\temp\fa99.tmp 0.01 KB (8 bytes) MD5: 418548d74f249fbcc5f08511e5c7bb56
SHA1: b751b27e5a560d2973a7432be8e37d02686faf24
SHA256: 146953e94da698ad13f60d6002476e2ee28273caff5ab17f059f1d9b97054b2c
False
c:\users\ciihmn~1\appdata\local\temp\faaa.tmp 0.01 KB (8 bytes) MD5: 0511f1993ecc2f294faa8dace502d19c
SHA1: 98ee28a4f58bdac0f7e0ddc22e03a7f530956408
SHA256: fc0750c6642725c86799dc19741bc1a529186a18530d7fd030a3668e961b30b7
False
c:\users\ciihmn~1\appdata\local\temp\faca.tmp 0.01 KB (8 bytes) MD5: b5975ffa385dc00cc1ee73251b6f7cdf
SHA1: 87164e350ca6d29c9ea1aa778ea40372a8eef860
SHA256: 5e7554b0e9e8cdd55822716d16264911814f41976e4476e112c3a46bda5316df
False
c:\users\ciihmn~1\appdata\local\temp\facb.tmp 0.01 KB (8 bytes) MD5: b5975ffa385dc00cc1ee73251b6f7cdf
SHA1: 87164e350ca6d29c9ea1aa778ea40372a8eef860
SHA256: 5e7554b0e9e8cdd55822716d16264911814f41976e4476e112c3a46bda5316df
False
c:\users\ciihmn~1\appdata\local\temp\facc.tmp 0.01 KB (8 bytes) MD5: 93c8cf85d0d5b115d17169d1e9308d1c
SHA1: 0253e619a7e637ad4e0dc752f4847c5031faa630
SHA256: 77cef3d40b18c42fe9b813a853be8711f1b2f971da24c26fba35d44122d84b89
False
c:\users\ciihmn~1\appdata\local\temp\facd.tmp 0.01 KB (8 bytes) MD5: 93c8cf85d0d5b115d17169d1e9308d1c
SHA1: 0253e619a7e637ad4e0dc752f4847c5031faa630
SHA256: 77cef3d40b18c42fe9b813a853be8711f1b2f971da24c26fba35d44122d84b89
False
c:\users\ciihmn~1\appdata\local\temp\fb4b.tmp 0.01 KB (8 bytes) MD5: a03c7050677123d24e0f908411639daf
SHA1: faad9f20113781013e8895743428e74fb4abf633
SHA256: cf4c4c6109dcf0a94857fefd4dc36767bf61ca3885e9e575481096e24f290e4c
False
c:\users\ciihmn~1\appdata\local\temp\fb6b.tmp 0.01 KB (8 bytes) MD5: 5021321237c3cbcedbe86bc2eda5575f
SHA1: 8282b1d20c1cbb3149c3269733801eeb9a3de567
SHA256: 402bea642f6fa667bdd43ffe9acea915addead54da069c3282d074e05c03eb8e
False
c:\users\ciihmn~1\appdata\local\temp\fb6c.tmp 0.01 KB (8 bytes) MD5: 5021321237c3cbcedbe86bc2eda5575f
SHA1: 8282b1d20c1cbb3149c3269733801eeb9a3de567
SHA256: 402bea642f6fa667bdd43ffe9acea915addead54da069c3282d074e05c03eb8e
False
c:\users\ciihmn~1\appdata\local\temp\fb6d.tmp 0.01 KB (8 bytes) MD5: 5021321237c3cbcedbe86bc2eda5575f
SHA1: 8282b1d20c1cbb3149c3269733801eeb9a3de567
SHA256: 402bea642f6fa667bdd43ffe9acea915addead54da069c3282d074e05c03eb8e
False
c:\users\ciihmn~1\appdata\local\temp\fb7e.tmp 0.01 KB (8 bytes) MD5: 3b6d47524dd9aadcd8087e8066cfedbb
SHA1: 95e7c67e66d21b44a437cd408c1fe891073218e9
SHA256: 8a14e9bef42d8e77d645765a27de8d55846007ef73b48a4cdf37619801f93ce2
False
c:\users\ciihmn~1\appdata\local\temp\fb7f.tmp 0.01 KB (8 bytes) MD5: 3b6d47524dd9aadcd8087e8066cfedbb
SHA1: 95e7c67e66d21b44a437cd408c1fe891073218e9
SHA256: 8a14e9bef42d8e77d645765a27de8d55846007ef73b48a4cdf37619801f93ce2
False
c:\users\ciihmn~1\appdata\local\temp\fb90.tmp 0.01 KB (8 bytes) MD5: f98f23a4f9e6dc8f433d6c263e6ad636
SHA1: ca167eead7432324b32261a98f0b05f6fd581edc
SHA256: df020e01c7255d67feab95591a7b9b90718d3d556352a17d5bc29c5a8df7cc41
False
c:\users\ciihmn~1\appdata\local\temp\fb91.tmp 0.01 KB (8 bytes) MD5: f98f23a4f9e6dc8f433d6c263e6ad636
SHA1: ca167eead7432324b32261a98f0b05f6fd581edc
SHA256: df020e01c7255d67feab95591a7b9b90718d3d556352a17d5bc29c5a8df7cc41
False
c:\users\ciihmn~1\appdata\local\temp\fba1.tmp 0.01 KB (8 bytes) MD5: b8403b24cec2c2fe3ad8d388ff5c2692
SHA1: 391d3e10403f244ec1919fca4dd1bf5d2180d73a
SHA256: 232b42d82017c86b66aa5f4dcd362c5be6aee746f55e8465a4eb1e62eb6fae3d
False
c:\users\ciihmn~1\appdata\local\temp\fba2.tmp 0.01 KB (8 bytes) MD5: b8403b24cec2c2fe3ad8d388ff5c2692
SHA1: 391d3e10403f244ec1919fca4dd1bf5d2180d73a
SHA256: 232b42d82017c86b66aa5f4dcd362c5be6aee746f55e8465a4eb1e62eb6fae3d
False
c:\users\ciihmn~1\appdata\local\temp\fba3.tmp 0.01 KB (8 bytes) MD5: b8403b24cec2c2fe3ad8d388ff5c2692
SHA1: 391d3e10403f244ec1919fca4dd1bf5d2180d73a
SHA256: 232b42d82017c86b66aa5f4dcd362c5be6aee746f55e8465a4eb1e62eb6fae3d
False
c:\users\ciihmn~1\appdata\local\temp\fbb4.tmp 0.01 KB (8 bytes) MD5: e307f8f8f230a2dd8989867ae53a7840
SHA1: d6a7d14aeffddf8a05d8c52aaf0e949cc8af4df9
SHA256: f4d61ad4fa3f52aa710ba9ef52a71b9c8faa9dbbb52ff66c47b4441febe8c6e9
False
c:\users\ciihmn~1\appdata\local\temp\fbb5.tmp 0.01 KB (8 bytes) MD5: e307f8f8f230a2dd8989867ae53a7840
SHA1: d6a7d14aeffddf8a05d8c52aaf0e949cc8af4df9
SHA256: f4d61ad4fa3f52aa710ba9ef52a71b9c8faa9dbbb52ff66c47b4441febe8c6e9
False
c:\users\ciihmn~1\appdata\local\temp\fbb6.tmp 0.01 KB (8 bytes) MD5: e307f8f8f230a2dd8989867ae53a7840
SHA1: d6a7d14aeffddf8a05d8c52aaf0e949cc8af4df9
SHA256: f4d61ad4fa3f52aa710ba9ef52a71b9c8faa9dbbb52ff66c47b4441febe8c6e9
False
c:\users\ciihmn~1\appdata\local\temp\fbb7.tmp 0.01 KB (8 bytes) MD5: e307f8f8f230a2dd8989867ae53a7840
SHA1: d6a7d14aeffddf8a05d8c52aaf0e949cc8af4df9
SHA256: f4d61ad4fa3f52aa710ba9ef52a71b9c8faa9dbbb52ff66c47b4441febe8c6e9
False
c:\users\ciihmn~1\appdata\local\temp\fbd7.tmp 0.01 KB (8 bytes) MD5: 644b05368f7512cae99e3857f9027bcf
SHA1: 690f3b113810afc8e70466194bf436cc1312b33e
SHA256: 864f9116027c7a0276777094e7a0f8dc73993c34f9123c7d978ee744e4dbd500
False
c:\users\ciihmn~1\appdata\local\temp\fbd8.tmp 0.01 KB (8 bytes) MD5: 644b05368f7512cae99e3857f9027bcf
SHA1: 690f3b113810afc8e70466194bf436cc1312b33e
SHA256: 864f9116027c7a0276777094e7a0f8dc73993c34f9123c7d978ee744e4dbd500
False
c:\users\ciihmn~1\appdata\local\temp\fbe9.tmp 0.01 KB (8 bytes) MD5: 29a8e19f453787602095a98287b92983
SHA1: b7e1af9f360642f06d7d75a41e09838bdfc71afc
SHA256: d7c0b9600744ea6c64c05815a19cf3d91ada60e64edeeb3f9a3b5fbc98a22ee1
False
c:\users\ciihmn~1\appdata\local\temp\fbea.tmp 0.01 KB (8 bytes) MD5: 29a8e19f453787602095a98287b92983
SHA1: b7e1af9f360642f06d7d75a41e09838bdfc71afc
SHA256: d7c0b9600744ea6c64c05815a19cf3d91ada60e64edeeb3f9a3b5fbc98a22ee1
False
c:\users\ciihmn~1\appdata\local\temp\fbeb.tmp 0.01 KB (8 bytes) MD5: 29a8e19f453787602095a98287b92983
SHA1: b7e1af9f360642f06d7d75a41e09838bdfc71afc
SHA256: d7c0b9600744ea6c64c05815a19cf3d91ada60e64edeeb3f9a3b5fbc98a22ee1
False
c:\users\ciihmn~1\appdata\local\temp\fbec.tmp 0.01 KB (8 bytes) MD5: 29a8e19f453787602095a98287b92983
SHA1: b7e1af9f360642f06d7d75a41e09838bdfc71afc
SHA256: d7c0b9600744ea6c64c05815a19cf3d91ada60e64edeeb3f9a3b5fbc98a22ee1
False
c:\users\ciihmn~1\appdata\local\temp\fbfc.tmp 0.01 KB (8 bytes) MD5: 03b26eefb62150cc56da444a144e9be1
SHA1: f40a7f3e6c9d8b7a979d4d776a32767bb79bc89f
SHA256: 1160ca78c4e98eda9addcb9966a4e56df9f102fcc1a9e48f3e6f512ff2974b61
False
c:\users\ciihmn~1\appdata\local\temp\fbfd.tmp 0.01 KB (8 bytes) MD5: 03b26eefb62150cc56da444a144e9be1
SHA1: f40a7f3e6c9d8b7a979d4d776a32767bb79bc89f
SHA256: 1160ca78c4e98eda9addcb9966a4e56df9f102fcc1a9e48f3e6f512ff2974b61
False
c:\users\ciihmn~1\appdata\local\temp\fbfe.tmp 0.01 KB (8 bytes) MD5: 03b26eefb62150cc56da444a144e9be1
SHA1: f40a7f3e6c9d8b7a979d4d776a32767bb79bc89f
SHA256: 1160ca78c4e98eda9addcb9966a4e56df9f102fcc1a9e48f3e6f512ff2974b61
False
c:\users\ciihmn~1\appdata\local\temp\fc0f.tmp 0.01 KB (8 bytes) MD5: 474a65b62cb05adc115bbd1ede09301b
SHA1: 919343acf762452776e634a9bf202c30fb6a7f9b
SHA256: 99eae660e8a11ebd18d71e8faf2fea8b3cfc95ae93bf339ff326e8e65b53a293
False
c:\users\ciihmn~1\appdata\local\temp\fc10.tmp 0.01 KB (8 bytes) MD5: 474a65b62cb05adc115bbd1ede09301b
SHA1: 919343acf762452776e634a9bf202c30fb6a7f9b
SHA256: 99eae660e8a11ebd18d71e8faf2fea8b3cfc95ae93bf339ff326e8e65b53a293
False
c:\users\ciihmn~1\appdata\local\temp\fc11.tmp 0.01 KB (8 bytes) MD5: 474a65b62cb05adc115bbd1ede09301b
SHA1: 919343acf762452776e634a9bf202c30fb6a7f9b
SHA256: 99eae660e8a11ebd18d71e8faf2fea8b3cfc95ae93bf339ff326e8e65b53a293
False
c:\users\ciihmn~1\appdata\local\temp\fc22.tmp 0.01 KB (8 bytes) MD5: e6a85d90c192b656121d5fb773bc9c7c
SHA1: f1923f3d154592e13686c626a452c5712572c703
SHA256: 4ab81fc69870779cdfccf4c642b53c832301c6173f803deb225a6e428b875813
False
Host Behavior
File (1434)
+
Operation Filename Additional Information Success Count Logfile
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F2D7.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F2D8.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F2E8.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F2F9.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F2FA.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F2FB.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F2FC.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F32C.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F33C.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F33D.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F33E.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F33F.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F350.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F351.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F381.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F382.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F383.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F384.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F385.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F396.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F397.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F398.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F399.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F39A.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F3D9.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F3DA.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F3EB.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F3EC.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F3ED.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F3FD.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F41E.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F42E.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F42F.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F430.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F441.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F442.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F472.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F473.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F474.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F475.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F485.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F486.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F487.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F488.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F499.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F4B9.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F4BA.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F4BB.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F4CC.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F4CD.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F4CE.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F4CF.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F4DF.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F4E0.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F4F1.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F4F2.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F4F3.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F4F4.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F4F5.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F506.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F507.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F508.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F509.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F50A.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F51A.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F51B.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F51C.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F53D.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F53E.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F53F.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F540.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F541.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F551.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F552.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F553.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F554.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F565.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F566.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F567.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F568.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F569.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F579.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F57A.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F57B.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F57C.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F58D.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F58E.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F58F.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F590.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F5A1.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F5A2.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F5A3.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F5B3.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F5B4.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F5B5.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F5C6.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F5C7.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F5C8.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F5D9.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F5E9.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F5EA.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F5FB.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F5FC.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F5FD.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F60D.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F60E.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F60F.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F610.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F621.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F622.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F623.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F634.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F635.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F636.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F637.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F647.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F648.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F649.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F6B8.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F6C8.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F6C9.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F6DA.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F6DB.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F6DC.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F6ED.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F6EE.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F6FE.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F6FF.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F700.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F701.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F712.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F722.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F723.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F724.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F725.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F736.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F737.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F738.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F749.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F74A.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F75A.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F75B.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F75C.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F77D.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F77E.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F78E.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F78F.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F790.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F7A1.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F7B1.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F7C2.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F7C3.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F7D4.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F7D5.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F7E5.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F806.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F816.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F827.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F837.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F838.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F849.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F84A.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F84B.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F85C.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F86C.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F86D.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F89D.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F89E.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F89F.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F8CF.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F8E0.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F8F0.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F8F1.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F902.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F903.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F914.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F915.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F916.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F926.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F927.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F928.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F939.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F93A.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F94A.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F96B.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F96C.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F96D.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F98D.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F98E.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F99F.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F9A0.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F9C0.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F9C1.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F9C2.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F9D2.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F9D3.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F9D4.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F9E5.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F9E6.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\F9F7.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\FA07.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\FA08.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\FA09.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\FA0A.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\FA1B.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\FA2C.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\FA2D.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\FA2E.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\FA3E.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\FA3F.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\FA50.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\FA51.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\FA52.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\FA62.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\FA63.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\FA74.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\FA85.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\FA86.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\FA96.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\FA97.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\FA98.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\FA99.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\FAAA.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\FACA.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\FACB.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\FACC.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\FACD.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\FB4B.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\FB6B.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\FB6C.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\FB6D.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\FB7E.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\FB7F.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\FB90.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\FB91.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\FBA1.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\FBA2.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\FBA3.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\FBB4.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\FBB5.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\FBB6.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\FBB7.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\FBD7.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\FBD8.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\FBE9.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\FBEA.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\FBEB.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\FBEC.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\FBFC.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\FBFD.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\FBFE.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\FC0F.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\FC10.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\FC11.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\FC22.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\FC23.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\FC24.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\FC25.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\FC35.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\FC36.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\FC37.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\FC38.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\FC49.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\FC4A.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\FC4B.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\FC4C.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\FC5D.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\FC5E.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\FC5F.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\FC6F.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\FC70.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\FC71.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\FC72.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\FC83.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\FC84.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\FC85.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\FC86.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\FC96.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\FC97.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\FC98.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\FCA9.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\FCBA.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Windows\system32\c_1252.nls desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 3
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\84526935.scr desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Amsisigd\Chakmcat.exe desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Amsisigd\Chakmcat.exe desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\697\FD09.bat desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create Directory C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft - False 1
Fn
Create Directory C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Amsisigd - True 1
Fn
Create Directory C:\Users\CIIHMN~1\AppData\Local\Temp\697 - True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F2D7.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F2D8.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F2E8.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F2F9.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F2FA.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F2FB.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F2FC.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F32C.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F33C.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F33D.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F33E.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F33F.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F350.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F351.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F381.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F382.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F383.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F384.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F385.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F396.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F397.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F398.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F399.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F39A.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F3D9.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F3DA.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F3EB.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F3EC.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F3ED.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F3FD.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F41E.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F42E.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F42F.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F430.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F441.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F442.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F472.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F473.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F474.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F475.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F485.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F486.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F487.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F488.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F499.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F4B9.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F4BA.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F4BB.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F4CC.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F4CD.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F4CE.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F4CF.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F4DF.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F4E0.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F4F1.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F4F2.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F4F3.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F4F4.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F4F5.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F506.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F507.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F508.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F509.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F50A.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F51A.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F51B.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F51C.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F53D.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F53E.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F53F.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F540.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F541.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F551.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F552.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F553.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F554.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F565.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F566.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F567.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F568.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F569.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F579.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F57A.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F57B.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F57C.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F58D.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F58E.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F58F.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F590.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F5A1.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F5A2.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F5A3.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F5B3.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F5B4.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F5B5.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F5C6.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F5C7.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F5C8.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F5D9.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F5E9.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F5EA.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F5FB.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F5FC.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F5FD.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F60D.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F60E.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F60F.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F610.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F621.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F622.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F623.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F634.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F635.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F636.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F637.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F647.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F648.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F649.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F6B8.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F6C8.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F6C9.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F6DA.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F6DB.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F6DC.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F6ED.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F6EE.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F6FE.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F6FF.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F700.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F701.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F712.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F722.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F723.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F724.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F725.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F736.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F737.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F738.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F749.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F74A.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F75A.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F75B.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F75C.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F77D.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F77E.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F78E.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F78F.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F790.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F7A1.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F7B1.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F7C2.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F7C3.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F7D4.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F7D5.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F7E5.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F806.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F816.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F827.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F837.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F838.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F849.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F84A.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F84B.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F85C.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F86C.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F86D.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F89D.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F89E.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F89F.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F8CF.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F8E0.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F8F0.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F8F1.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F902.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F903.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F914.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F915.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F916.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F926.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F927.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F928.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F939.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F93A.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F94A.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F96B.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F96C.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F96D.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F98D.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F98E.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F99F.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F9A0.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F9C0.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F9C1.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F9C2.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F9D2.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F9D3.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F9D4.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F9E5.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F9E6.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\F9F7.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\FA07.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\FA08.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\FA09.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\FA0A.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\FA1B.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\FA2C.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\FA2D.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\FA2E.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\FA3E.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\FA3F.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\FA50.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\FA51.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\FA52.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\FA62.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\FA63.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\FA74.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\FA85.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\FA86.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\FA96.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\FA97.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\FA98.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\FA99.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\FAAA.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\FACA.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\FACB.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\FACC.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\FACD.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\FB4B.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\FB6B.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\FB6C.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\FB6D.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\FB7E.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\FB7F.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\FB90.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\FB91.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\FBA1.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\FBA2.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\FBA3.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\FBB4.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\FBB5.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\FBB6.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\FBB7.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\FBD7.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\FBD8.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\FBE9.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\FBEA.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\FBEB.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\FBEC.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\FBFC.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\FBFD.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\FBFE.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\FC0F.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\FC10.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\FC11.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\FC22.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\FC23.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\FC24.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\FC25.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\FC35.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\FC36.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\FC37.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\FC38.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\FC49.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\FC4A.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\FC4B.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\FC4C.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\FC5D.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\FC5E.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\FC5F.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\FC6F.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\FC70.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\FC71.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\FC72.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\FC83.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\FC84.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\FC85.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\FC86.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\FC96.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\FC97.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\FC98.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\FCA9.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\FCBA.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\697.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\697\FD09.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\697 True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F2D7.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F2D8.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F2E8.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F2F9.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F2FA.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F2FB.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F2FC.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F32C.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F33C.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F33D.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F33E.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F33F.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F350.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F351.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F381.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F382.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F383.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F384.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F385.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F396.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F397.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F398.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F399.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F39A.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F3D9.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F3DA.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F3EB.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F3EC.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F3ED.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F3FD.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F41E.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F42E.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F42F.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F430.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F441.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F442.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F472.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F473.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F474.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F475.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F485.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F486.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F487.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F488.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F499.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F4B9.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F4BA.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F4BB.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F4CC.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F4CD.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F4CE.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F4CF.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F4DF.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F4E0.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F4F1.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F4F2.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F4F3.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F4F4.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F4F5.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F506.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F507.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F508.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F509.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F50A.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F51A.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F51B.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F51C.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F53D.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F53E.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F53F.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F540.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F541.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F551.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F552.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F553.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F554.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F565.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F566.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F567.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F568.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F569.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F579.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F57A.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F57B.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F57C.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F58D.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F58E.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F58F.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F590.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F5A1.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F5A2.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F5A3.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F5B3.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F5B4.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F5B5.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F5C6.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F5C7.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F5C8.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F5D9.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F5E9.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F5EA.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F5FB.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F5FC.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F5FD.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F60D.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F60E.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F60F.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F610.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F621.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F622.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F623.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F634.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F635.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F636.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F637.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F647.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F648.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F649.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F6B8.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F6C8.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F6C9.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F6DA.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F6DB.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F6DC.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F6ED.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F6EE.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F6FE.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F6FF.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F700.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F701.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F712.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F722.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F723.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F724.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F725.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F736.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F737.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F738.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F749.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F74A.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F75A.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F75B.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F75C.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F77D.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F77E.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F78E.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F78F.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F790.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F7A1.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F7B1.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F7C2.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F7C3.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F7D4.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F7D5.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F7E5.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F806.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F816.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F827.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F837.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F838.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F849.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F84A.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F84B.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F85C.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F86C.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F86D.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F89D.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F89E.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F89F.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F8CF.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F8E0.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F8F0.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F8F1.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F902.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F903.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F914.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F915.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F916.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F926.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F927.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F928.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F939.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F93A.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F94A.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F96B.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F96C.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F96D.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F98D.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F98E.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F99F.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F9A0.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F9C0.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F9C1.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F9C2.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F9D2.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F9D3.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F9D4.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F9E5.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F9E6.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\F9F7.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\FA07.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\FA08.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\FA09.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\FA0A.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\FA1B.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\FA2C.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\FA2D.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\FA2E.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\FA3E.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\FA3F.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\FA50.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\FA51.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\FA52.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\FA62.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\FA63.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\FA74.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\FA85.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\FA86.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\FA96.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\FA97.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\FA98.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\FA99.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\FAAA.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\FACA.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\FACB.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\FACC.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\FACD.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\FB4B.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\FB6B.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\FB6C.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\FB6D.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\FB7E.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\FB7F.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\FB90.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\FB91.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\FBA1.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\FBA2.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\FBA3.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\FBB4.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\FBB5.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\FBB6.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\FBB7.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\FBD7.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\FBD8.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\FBE9.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\FBEA.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\FBEB.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\FBEC.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\FBFC.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\FBFD.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\FBFE.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\FC0F.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\FC10.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\FC11.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\FC22.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\FC23.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\FC24.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\FC25.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\FC35.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\FC36.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\FC37.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\FC38.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\FC49.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\FC4A.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\FC4B.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\FC4C.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\FC5D.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\FC5E.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\FC5F.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\FC6F.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\FC70.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\FC71.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\FC72.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\FC83.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\FC84.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\FC85.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\FC86.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\FC96.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\FC97.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\FC98.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\FCA9.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\FCBA.tmp type = time True 1
Fn
Get Info C:\Windows\system32\c_1252.nls type = time True 1
Fn
Get Info C:\Windows\system32\c_1252.nls type = time True 1
Fn
Get Info C:\Windows\system32\c_1252.nls type = time True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\84526935.scr type = size True 1
Fn
Open STD_INPUT_HANDLE - True 1
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Read C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\84526935.scr size = 490496, size_out = 490496 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\F2D7.tmp size = 8 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\F2D8.tmp size = 8 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\F2E8.tmp size = 8 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\F2F9.tmp size = 8 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\F2FA.tmp size = 8 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\F2FB.tmp size = 8 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\F2FC.tmp size = 8 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\F32C.tmp size = 8 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\F33C.tmp size = 8 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\F33D.tmp size = 8 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\F33E.tmp size = 8 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\F33F.tmp size = 8 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\F350.tmp size = 8 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\F351.tmp size = 8 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\F381.tmp size = 8 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\F382.tmp size = 8 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\F383.tmp size = 8 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\F384.tmp size = 8 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\F385.tmp size = 8 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\F396.tmp size = 8 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\F397.tmp size = 8 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\F398.tmp size = 8 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\F399.tmp size = 8 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\F39A.tmp size = 8 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\F3D9.tmp size = 8 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\F3DA.tmp size = 8 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\F3EB.tmp size = 8 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\F3EC.tmp size = 8 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\F3ED.tmp size = 8 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\F3FD.tmp size = 8 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\F41E.tmp size = 8 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\F42E.tmp size = 8 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\F42F.tmp size = 8 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\F430.tmp size = 8 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\F441.tmp size = 8 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\F442.tmp size = 8 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\F472.tmp size = 8 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\F473.tmp size = 8 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\F474.tmp size = 8 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\F475.tmp size = 8 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\F485.tmp size = 8 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\F486.tmp size = 8 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\F487.tmp size = 8 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\F488.tmp size = 8 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\F499.tmp size = 8 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\F4B9.tmp size = 8 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\F4BA.tmp size = 8 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\F4BB.tmp size = 8 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\F4CC.tmp size = 8 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\F4CD.tmp size = 8 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\F4CE.tmp size = 8 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\F4CF.tmp size = 8 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\F4DF.tmp size = 8 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\F4E0.tmp size = 8 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\F4F1.tmp size = 8 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\F4F2.tmp size = 8 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\F4F3.tmp size = 8 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\F4F4.tmp size = 8 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\F4F5.tmp size = 8 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\F506.tmp size = 8 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\F507.tmp size = 8 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\F508.tmp size = 8 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\F509.tmp size = 8 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\F50A.tmp size = 8 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\F51A.tmp size = 8 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\F51B.tmp size = 8 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\F51C.tmp size = 8 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\F53D.tmp size = 8 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\F53E.tmp size = 8 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\F53F.tmp size = 8 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\F540.tmp size = 8 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\F541.tmp size = 8 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\F551.tmp size = 8 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\F552.tmp size = 8 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\F553.tmp size = 8 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\F554.tmp size = 8 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\F565.tmp size = 8 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\F566.tmp size = 8 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\F567.tmp size = 8 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\F568.tmp size = 8 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\F569.tmp size = 8 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\F579.tmp size = 8 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\F57A.tmp size = 8 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\F57B.tmp size = 8 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\F57C.tmp size = 8 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\F58D.tmp size = 8 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\F58E.tmp size = 8 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\F58F.tmp size = 8 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\F590.tmp size = 8 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\F5A1.tmp size = 8 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\F5A2.tmp size = 8 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\F5A3.tmp size = 8 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\F5B3.tmp size = 8 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\F5B4.tmp size = 8 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\F5B5.tmp size = 8 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\F5C6.tmp size = 8 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\F5C7.tmp size = 8 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\F5C8.tmp size = 8 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\F5D9.tmp size = 8 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\F5E9.tmp size = 8 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\F5EA.tmp size = 8 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\F5FB.tmp size = 8 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\F5FC.tmp size = 8 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\F5FD.tmp size = 8 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\F60D.tmp size = 8 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\F60E.tmp size = 8 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\F60F.tmp size = 8 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\F610.tmp size = 8 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\F621.tmp size = 8 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\F622.tmp size = 8 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\F623.tmp size = 8 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\F634.tmp size = 8 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\F635.tmp size = 8 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\F636.tmp size = 8 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\F637.tmp size = 8 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\F647.tmp size = 8 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\F648.tmp size = 8 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\F649.tmp size = 8 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\F6B8.tmp size = 8 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\F6C8.tmp size = 8 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\F6C9.tmp size = 8 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\F6DA.tmp size = 8 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\F6DB.tmp size = 8 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\F6DC.tmp size = 8 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\F6ED.tmp size = 8 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\F6EE.tmp size = 8 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\F6FE.tmp size = 8 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\F6FF.tmp size = 8 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\F700.tmp size = 8 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\F701.tmp size = 8 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\F712.tmp size = 8 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\F722.tmp size = 8 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\F723.tmp size = 8 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\F724.tmp size = 8 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\F725.tmp size = 8 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\F736.tmp size = 8 True 1
Fn
Data
For performance reasons, the remaining 431 entries are omitted.
The remaining entries can be found in glog.xml.
Registry (17)
+
Operation Key Additional Information Success Count Logfile
Create Key HKEY_USERS\S-1-5-21-1462094071-1423818996-289466292-1000\Software\AppDataLow\Software\Microsoft\07430283-BA24-D1EC-FC2B-8E95F08FA299 - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run - True 1
Fn
Open Key HKEY_USERS - True 1
Fn
Open Key HKEY_USERS\S-1-5-21-1462094071-1423818996-289466292-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders - True 1
Fn
Open Key HKEY_USERS\S-1-5-21-1462094071-1423818996-289466292-1000\Software\Microsoft\Windows\CurrentVersion\Run - True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run value_name = Accocca, data = 160, type = REG_NONE False 1
Fn
Read Value HKEY_USERS\S-1-5-21-1462094071-1423818996-289466292-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders value_name = AppData, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_USERS\S-1-5-21-1462094071-1423818996-289466292-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders value_name = AppData, data = C:\Users\CIiHmnxMn6Ps\AppData\Roaming, type = REG_SZ True 1
Fn
Read Value HKEY_USERS\S-1-5-21-1462094071-1423818996-289466292-1000\Software\AppDataLow\Software\Microsoft\07430283-BA24-D1EC-FC2B-8E95F08FA299 value_name = Client, data = 0, type = REG_NONE False 1
Fn
Write Value HKEY_USERS\S-1-5-21-1462094071-1423818996-289466292-1000\Software\Microsoft\Windows\CurrentVersion\Run value_name = Accocca, data = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Amsisigd\Chakmcat.exe, size = 140, type = REG_SZ True 1
Fn
Enumerate Keys HKEY_USERS - True 1
Fn
Enumerate Keys HKEY_USERS - True 1
Fn
Enumerate Keys HKEY_USERS - True 1
Fn
Enumerate Keys HKEY_USERS - True 1
Fn
Enumerate Keys HKEY_USERS - True 1
Fn
Enumerate Keys HKEY_USERS - True 1
Fn
Enumerate Keys HKEY_USERS - False 1
Fn
Process (2)
+
Operation Process Additional Information Success Count Logfile
Create C:\Users\CIIHMN~1\AppData\Local\Temp\697\FD09.bat show_window = SW_HIDE True 1
Fn
Open c:\windows\explorer.exe desired_access = PROCESS_QUERY_INFORMATION True 1
Fn
Module (163)
+
Operation Module Additional Information Success Count Logfile
Load ntdll.dll base_address = 0x77190000 True 1
Fn
Load SHLWAPI.dll base_address = 0x75dc0000 True 1
Fn
Load KERNEL32.dll base_address = 0x76bc0000 True 1
Fn
Load USER32.dll base_address = 0x74500000 True 1
Fn
Load ADVAPI32.dll base_address = 0x75d40000 True 1
Fn
Load SHELL32.dll base_address = 0x74760000 True 1
Fn
Load ole32.dll base_address = 0x74640000 True 1
Fn
Load USER32.DLL base_address = 0x74500000 True 1
Fn
Get Handle c:\windows\syswow64\kernel32.dll base_address = 0x76bc0000 True 13
Fn
Get Handle c:\users\ciihmn~1\appdata\local\temp\84526935.scr base_address = 0x400000 True 1
Fn
Get Handle c:\windows\syswow64\user32.dll base_address = 0x74500000 True 1
Fn
Get Handle c:\windows\syswow64\ntdll.dll base_address = 0x77190000 True 1
Fn
Get Filename - process_name = c:\users\ciihmn~1\appdata\local\temp\84526935.scr, file_name_orig = C:\Users\CIIHMN~1\AppData\Local\Temp\84526935.scr, size = 260 True 1
Fn
Get Filename c:\users\ciihmn~1\appdata\local\temp\84526935.scr process_name = c:\users\ciihmn~1\appdata\local\temp\84526935.scr, file_name_orig = C:\Users\CIIHMN~1\AppData\Local\Temp\84526935.scr, size = 260 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsAlloc, address_out = 0x76bda330 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsGetValue, address_out = 0x76bd7580 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsSetValue, address_out = 0x76bd9910 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsFree, address_out = 0x76bdf400 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EncodePointer, address_out = 0x771ef190 True 8
Fn
Get Address c:\windows\syswow64\kernel32.dll function = DecodePointer, address_out = 0x771ea200 True 3
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleHandleA, address_out = 0x76bd9640 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualAlloc, address_out = 0x76bd8b70 True 3
Fn
Get Address c:\windows\syswow64\ntdll.dll function = ZwClose, address_out = 0x771f8cb0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = ZwQueryInformationToken, address_out = 0x771f8df0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = RtlNtStatusToDosError, address_out = 0x771e3010 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = ZwOpenProcess, address_out = 0x771f8e40 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = ZwQueryInformationProcess, address_out = 0x771f8d50 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = mbstowcs, address_out = 0x771fe610 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = memset, address_out = 0x771fee50 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = memcpy, address_out = 0x771fe7b0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtQuerySystemInformation, address_out = 0x771f8f40 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtUnmapViewOfSection, address_out = 0x771f8e80 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtMapViewOfSection, address_out = 0x771f8e60 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = RtlUpcaseUnicodeString, address_out = 0x771de040 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtCreateSection, address_out = 0x771f9080 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = ZwOpenProcessToken, address_out = 0x771f9d20 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = RtlFreeUnicodeString, address_out = 0x771cb940 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = RtlUnwind, address_out = 0x771eaca0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtQueryVirtualMemory, address_out = 0x771f8e10 True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathFindExtensionW, address_out = 0x75dd7c40 True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = StrRChrA, address_out = 0x75de2900 True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathFindExtensionA, address_out = 0x75de1db0 True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = StrChrA, address_out = 0x75de26c0 True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathCombineW, address_out = 0x75ddcd50 True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathFindFileNameW, address_out = 0x75dd80d0 True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = StrChrW, address_out = 0x75dd6a00 True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = StrTrimW, address_out = 0x75dd83a0 True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathFindFileNameA, address_out = 0x75dd8970 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ResetEvent, address_out = 0x76be60b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseHandle, address_out = 0x76be5f20 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LoadLibraryA, address_out = 0x76bdd8d0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateEventA, address_out = 0x76be5f70 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateWaitableTimerA, address_out = 0x76bddb30 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTickCount, address_out = 0x76be57f0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateProcessA, address_out = 0x76c00960 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetFileAttributesW, address_out = 0x76be6510 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = DeleteFileA, address_out = 0x76be61a0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WriteFile, address_out = 0x76be6590 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapAlloc, address_out = 0x771cda90 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetEvent, address_out = 0x76be60c0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileTime, address_out = 0x76be6380 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetProcAddress, address_out = 0x76bd7940 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLastError, address_out = 0x76bd2db0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcatW, address_out = 0x76bfd320 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = Sleep, address_out = 0x76bd77b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateFileA, address_out = 0x76be6170 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcmpiW, address_out = 0x76bd7540 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapFree, address_out = 0x76bd25e0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrlenW, address_out = 0x76bd2d80 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetWaitableTimer, address_out = 0x76be60d0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCommandLineW, address_out = 0x76bda4b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ExitProcess, address_out = 0x76be74f0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapCreate, address_out = 0x76bd9950 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapDestroy, address_out = 0x76bdd940 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WaitForSingleObject, address_out = 0x76be6110 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetSystemTimeAsFileTime, address_out = 0x76bd2b90 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = DeleteFileW, address_out = 0x76be61b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ExpandEnvironmentStringsA, address_out = 0x76c00da0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualProtectEx, address_out = 0x76c02a00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ResumeThread, address_out = 0x76bda280 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SuspendThread, address_out = 0x76bded00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcmpA, address_out = 0x76bdc1f0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTempFileNameA, address_out = 0x76be63f0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateDirectoryA, address_out = 0x76be6140 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTempPathA, address_out = 0x76be6410 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentThreadId, address_out = 0x76bd1b90 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileSize, address_out = 0x76be6360 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcpynA, address_out = 0x76bdf7b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindNextFileA, address_out = 0x76be6270 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CompareFileTime, address_out = 0x76be6130 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLongPathNameW, address_out = 0x76bd47c0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = OpenProcess, address_out = 0x76bd92b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetVersion, address_out = 0x76bda300 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcessId, address_out = 0x76bd1d90 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindClose, address_out = 0x76be61d0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcpyA, address_out = 0x76bde320 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ExpandEnvironmentStringsW, address_out = 0x76bdc8c0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcatA, address_out = 0x76bdefc0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrlenA, address_out = 0x76be3a30 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetFilePointer, address_out = 0x76be6530 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ReadFile, address_out = 0x76be64a0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleFileNameW, address_out = 0x76bd9560 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleFileNameA, address_out = 0x76bda040 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateFileW, address_out = 0x76be6180 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetLastError, address_out = 0x76bd2af0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualFree, address_out = 0x76bd8c70 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcmpiA, address_out = 0x76bd7610 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetEndOfFile, address_out = 0x76be64f0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcpyW, address_out = 0x76bfd410 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateDirectoryW, address_out = 0x76be6150 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlushFileBuffers, address_out = 0x76be62a0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LocalFree, address_out = 0x76bd87c0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindFirstFileA, address_out = 0x76be6210 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = wsprintfW, address_out = 0x7452ddf0 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = wsprintfA, address_out = 0x7452ea00 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegQueryValueExA, address_out = 0x75d5ee40 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = ConvertStringSecurityDescriptorToSecurityDescriptorA, address_out = 0x75d8bda0 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegOpenKeyA, address_out = 0x75d631a0 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = GetTokenInformation, address_out = 0x75d5ed40 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = OpenProcessToken, address_out = 0x75d5ee90 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = GetSidSubAuthority, address_out = 0x75d60ea0 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegCreateKeyA, address_out = 0x75d63150 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegSetValueExW, address_out = 0x75d5f0a0 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegSetValueExA, address_out = 0x75d60750 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegDeleteValueW, address_out = 0x75d60ca0 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegOpenKeyW, address_out = 0x75d5f590 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegEnumKeyExA, address_out = 0x75d62520 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegCloseKey, address_out = 0x75d5efa0 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegQueryValueExW, address_out = 0x75d5ed60 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegOpenKeyExA, address_out = 0x75d5f000 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = GetSidSubAuthorityCount, address_out = 0x75d60f50 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = ShellExecuteExW, address_out = 0x748f4cb0 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = ShellExecuteW, address_out = 0x748f4370 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = 92, address_out = 0x749d7560 True 1
Fn
Get Address c:\windows\syswow64\ole32.dll function = CoInitializeEx, address_out = 0x76d5cd50 True 1
Fn
Get Address c:\windows\syswow64\ole32.dll function = CoUninitialize, address_out = 0x76d5dca0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsWow64Process, address_out = 0x76bd96e0 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = FindWindowA, address_out = 0x74530980 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = GetWindowThreadProcessId, address_out = 0x7451ba70 True 1
Fn
Window (1)
+
Operation Window Name Additional Information Success Count Logfile
Find - class_name = ProgMan True 1
Fn
System (5)
+
Operation Additional Information Success Count Logfile
Get Time type = Ticks, time = 130031 True 3
Fn
Get Time type = System Time, time = 2017-12-11 16:43:28 (UTC) True 1
Fn
Get Info type = Operating System True 1
Fn
Environment (1)
+
Operation Additional Information Success Count Logfile
Get Environment String - True 1
Fn
Data
Process #4: cmd.exe
(Host: 252, Network: 0)
+
Information Value
ID #4
File Name c:\windows\syswow64\cmd.exe
Command Line C:\Windows\system32\cmd.exe /c ""C:\Users\CIIHMN~1\AppData\Local\Temp\697\FD09.bat" "C:\Users\CIIHMN~1\AppData\Roaming\MICROS~1\Amsisigd\Chakmcat.exe" "C:\Users\CIIHMN~1\AppData\Local\Temp\84526935.scr""
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:00:56, Reason: Child Process
Unmonitor End Time: 00:02:20, Reason: Terminated by Timeout
Monitor Duration 00:01:24
OS Process Information
+
Information Value
PID 0xcc4
Parent PID 0xbec (c:\users\ciihmn~1\appdata\local\temp\84526935.scr)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username LHNIWSJ\CIiHmnxMn6Ps
Groups
  • LHNIWSJ\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Local account and member of Administrators group (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • BUILTIN\Administrators (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, OWNER)
  • BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Local account (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Logon Session 00000000:00013d92 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID)
  • LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x CCC
0x 5B4
Region
+
Name Start VA End VA Type Permissions Monitored Dump YARA Match Actions
private_0x0000000000420000 0x00420000 0x0043ffff Private Memory Readable, Writable True True False
pagefile_0x0000000000420000 0x00420000 0x0042ffff Pagefile Backed Memory Readable, Writable True False False
private_0x0000000000430000 0x00430000 0x00433fff Private Memory Readable, Writable True False False
private_0x0000000000440000 0x00440000 0x00441fff Private Memory Readable, Writable True True False
private_0x0000000000440000 0x00440000 0x00443fff Private Memory Readable, Writable True False False
pagefile_0x0000000000450000 0x00450000 0x00463fff Pagefile Backed Memory Readable True False False
private_0x0000000000470000 0x00470000 0x004affff Private Memory Readable, Writable True False False
private_0x00000000004b0000 0x004b0000 0x005affff Private Memory Readable, Writable True False False
pagefile_0x00000000005b0000 0x005b0000 0x005b3fff Pagefile Backed Memory Readable True False False
pagefile_0x00000000005c0000 0x005c0000 0x005c0fff Pagefile Backed Memory Readable True False False
private_0x00000000005d0000 0x005d0000 0x005d1fff Private Memory Readable, Writable True False False
private_0x00000000005e0000 0x005e0000 0x0061ffff Private Memory Readable, Writable True False False
private_0x0000000000620000 0x00620000 0x0062ffff Private Memory Readable, Writable True False False
private_0x0000000000650000 0x00650000 0x0065ffff Private Memory Readable, Writable True False False
locale.nls 0x00660000 0x0071dfff Memory Mapped File Readable False False False
cmd.exe.mui 0x00720000 0x00740fff Memory Mapped File Readable False False False
private_0x0000000000800000 0x00800000 0x008fffff Private Memory Readable, Writable True False False
private_0x0000000000900000 0x00900000 0x009fffff Private Memory Readable, Writable True False False
private_0x0000000000be0000 0x00be0000 0x00beffff Private Memory Readable, Writable True False False
sortdefault.nls 0x00bf0000 0x00f26fff Memory Mapped File Readable False False False
cmd.exe 0x01350000 0x0139ffff Memory Mapped File Readable, Writable, Executable True False False
pagefile_0x00000000013a0000 0x013a0000 0x0539ffff Pagefile Backed Memory - True False False
wow64cpu.dll 0x5c9f0000 0x5c9f7fff Memory Mapped File Readable, Writable, Executable False False False
wow64win.dll 0x5ca00000 0x5ca72fff Memory Mapped File Readable, Writable, Executable False False False
wow64.dll 0x5ca80000 0x5cacefff Memory Mapped File Readable, Writable, Executable False False False
cmdext.dll 0x73390000 0x73397fff Memory Mapped File Readable, Writable, Executable False False False
bcryptprimitives.dll 0x74230000 0x74288fff Memory Mapped File Readable, Writable, Executable False False False
cryptbase.dll 0x74290000 0x74299fff Memory Mapped File Readable, Writable, Executable False False False
sspicli.dll 0x742a0000 0x742bdfff Memory Mapped File Readable, Writable, Executable False False False
msvcrt.dll 0x75b80000 0x75c3dfff Memory Mapped File Readable, Writable, Executable False False False
advapi32.dll 0x75d40000 0x75dbafff Memory Mapped File Readable, Writable, Executable False False False
rpcrt4.dll 0x75e70000 0x75f1bfff Memory Mapped File Readable, Writable, Executable False False False
kernelbase.dll 0x75f20000 0x76095fff Memory Mapped File Readable, Writable, Executable False False False
sechost.dll 0x760a0000 0x760e2fff Memory Mapped File Readable, Writable, Executable False False False
kernel32.dll 0x76bc0000 0x76caffff Memory Mapped File Readable, Writable, Executable False False False
ntdll.dll 0x77190000 0x77308fff Memory Mapped File Readable, Writable, Executable False False False
pagefile_0x000000007f4b0000 0x7f4b0000 0x7f5affff Pagefile Backed Memory Readable True False False
pagefile_0x000000007f5b0000 0x7f5b0000 0x7f5d2fff Pagefile Backed Memory Readable True False False
private_0x000000007f5d7000 0x7f5d7000 0x7f5d7fff Private Memory Readable, Writable True False False
private_0x000000007f5d9000 0x7f5d9000 0x7f5d9fff Private Memory Readable, Writable True False False
private_0x000000007f5da000 0x7f5da000 0x7f5dcfff Private Memory Readable, Writable True False False
private_0x000000007f5dd000 0x7f5dd000 0x7f5dffff Private Memory Readable, Writable True False False
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False
private_0x000000007fff0000 0x7fff0000 0x7dfb3d30ffff Private Memory Readable True False False
pagefile_0x00007dfb3d310000 0x7dfb3d310000 0x7ffb3d30ffff Pagefile Backed Memory - True False False
ntdll.dll 0x7ffb3d310000 0x7ffb3d4d1fff Memory Mapped File Readable, Writable, Executable False False False
private_0x00007ffb3d4d2000 0x7ffb3d4d2000 0x7ffffffeffff Private Memory Readable True False False
Host Behavior
File (202)
+
Operation Filename Additional Information Success Count Logfile
Create C:\Users\CIIHMN~1\AppData\Local\Temp\697\FD09.bat desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 3
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\697\FD09.bat desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 3
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\697\FD09.bat desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE False 1
Fn
Get Info C:\Windows\system32 type = file_attributes True 1
Fn
Get Info C:\Windows\System32 type = file_attributes True 1
Fn
Get Info "C:\Users\CIIHMN~1\AppData\Local\Temp\697\FD09.bat" type = file_attributes False 1
Fn
Get Info - type = file_type True 3
Fn
Get Info STD_OUTPUT_HANDLE type = file_type True 25
Fn
Get Info - type = file_type True 3
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\697\FD09.bat type = file_attributes True 2
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\697 type = file_attributes True 1
Fn
Get Info STD_ERROR_HANDLE type = file_type True 1
Fn
Open STD_OUTPUT_HANDLE - True 88
Fn
Open STD_INPUT_HANDLE - True 7
Fn
Open - - True 12
Fn
Open - - True 13
Fn
Open \??\C:\Users\CIIHMN~1\AppData\Local\Temp\697\FD09.bat desired_access = DELETE, open_options = FILE_NON_DIRECTORY_FILE, FILE_DELETE_ON_CLOSE, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_DELETE True 1
Fn
Open STD_ERROR_HANDLE - True 3
Fn
Read - size = 8191, size_out = 110 True 1
Fn
Data
Read - size = 8191, size_out = 99 True 1
Fn
Data
Read - size = 8191, size_out = 66 True 1
Fn
Data
Read - size = 8191, size_out = 50 True 1
Fn
Data
Read - size = 8191, size_out = 19 True 1
Fn
Data
Read - size = 8191, size_out = 6 True 1
Fn
Data
Read - size = 8191, size_out = 0 True 1
Fn
Write STD_OUTPUT_HANDLE size = 2 True 8
Fn
Data
Write STD_OUTPUT_HANDLE size = 20 True 4
Fn
Data
Write STD_OUTPUT_HANDLE size = 3 True 4
Fn
Data
Write STD_OUTPUT_HANDLE size = 4 True 3
Fn
Data
Write STD_OUTPUT_HANDLE size = 73 True 1
Fn
Data
Write STD_OUTPUT_HANDLE size = 12 True 1
Fn
Data
Write STD_OUTPUT_HANDLE size = 125 True 1
Fn
Data
Write STD_OUTPUT_HANDLE size = 13 True 1
Fn
Data
Write STD_OUTPUT_HANDLE size = 10 True 1
Fn
Data
Write STD_OUTPUT_HANDLE size = 53 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 33 True 1
Fn
Data
Registry (17)
+
Operation Key Additional Information Success Count Logfile
Open Key HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Command Processor - True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DisableUNCCheck, data = 40, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = AutoRun, data = 64, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DisableUNCCheck, data = 64, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = AutoRun, data = 9, type = REG_NONE False 1
Fn
Process (1)
+
Operation Process Additional Information Success Count Logfile
Create C:\Windows\system32\cmd.exe os_pid = 0xd80, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL True 1
Fn
Module (8)
+
Operation Module Additional Information Success Count Logfile
Get Handle c:\windows\syswow64\cmd.exe base_address = 0x1350000 True 1
Fn
Get Handle c:\windows\syswow64\kernel32.dll base_address = 0x76bc0000 True 2
Fn
Get Filename - process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadUILanguage, address_out = 0x76c02780 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CopyFileExW, address_out = 0x76bdfa80 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsDebuggerPresent, address_out = 0x76bda790 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetConsoleInputExeNameW, address_out = 0x760335c0 True 1
Fn
Environment (24)
+
Operation Additional Information Success Count Logfile
Get Environment String - True 7
Fn
Data
Get Environment String name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ True 3
Fn
Get Environment String name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC True 4
Fn
Get Environment String name = PROMPT False 1
Fn
Get Environment String name = COMSPEC, result_out = C:\Windows\system32\cmd.exe True 1
Fn
Get Environment String name = KEYS False 1
Fn
Get Environment String name = PROMPT, result_out = $P$G True 2
Fn
Set Environment String name = PROMPT, value = $P$G True 1
Fn
Set Environment String name = =C:, value = C:\Windows\System32 True 1
Fn
Set Environment String name = COPYCMD True 1
Fn
Set Environment String name = =ExitCode, value = 00000000 True 1
Fn
Set Environment String name = =ExitCodeAscii True 1
Fn
Process #6: cmd.exe
(Host: 52, Network: 0)
+
Information Value
ID #6
File Name c:\windows\syswow64\cmd.exe
Command Line cmd /C ""C:\Users\CIIHMN~1\AppData\Roaming\MICROS~1\Amsisigd\Chakmcat.exe" "C:\Users\CIIHMN~1\AppData\Local\Temp\84526935.scr""
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:00:57, Reason: Child Process
Unmonitor End Time: 00:02:20, Reason: Terminated by Timeout
Monitor Duration 00:01:23
OS Process Information
+
Information Value
PID 0xd80
Parent PID 0xcc4 (c:\windows\syswow64\cmd.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username LHNIWSJ\CIiHmnxMn6Ps
Groups
  • LHNIWSJ\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Local account and member of Administrators group (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • BUILTIN\Administrators (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, OWNER)
  • BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Local account (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Logon Session 00000000:00013d92 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID)
  • LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x D64
0x D7C
Region
+
Name Start VA End VA Type Permissions Monitored Dump YARA Match Actions
private_0x0000000000f30000 0x00f30000 0x00f4ffff Private Memory Readable, Writable True True False
pagefile_0x0000000000f30000 0x00f30000 0x00f3ffff Pagefile Backed Memory Readable, Writable True False False
private_0x0000000000f40000 0x00f40000 0x00f43fff Private Memory Readable, Writable True False False
private_0x0000000000f50000 0x00f50000 0x00f51fff Private Memory Readable, Writable True True False
private_0x0000000000f50000 0x00f50000 0x00f53fff Private Memory Readable, Writable True False False
pagefile_0x0000000000f60000 0x00f60000 0x00f73fff Pagefile Backed Memory Readable True False False
private_0x0000000000f80000 0x00f80000 0x00fbffff Private Memory Readable, Writable True False False
private_0x0000000000fc0000 0x00fc0000 0x010bffff Private Memory Readable, Writable True False False
pagefile_0x00000000010c0000 0x010c0000 0x010c3fff Pagefile Backed Memory Readable True False False
pagefile_0x00000000010d0000 0x010d0000 0x010d0fff Pagefile Backed Memory Readable True False False
private_0x00000000010e0000 0x010e0000 0x010e1fff Private Memory Readable, Writable True False False
locale.nls 0x010f0000 0x011adfff Memory Mapped File Readable False False False
private_0x00000000011b0000 0x011b0000 0x011bffff Private Memory Readable, Writable True False False
private_0x00000000011c0000 0x011c0000 0x011fffff Private Memory Readable, Writable True False False
private_0x0000000001200000 0x01200000 0x012fffff Private Memory Readable, Writable True False False
cmd.exe 0x01350000 0x0139ffff Memory Mapped File Readable, Writable, Executable True False False
pagefile_0x00000000013a0000 0x013a0000 0x0539ffff Pagefile Backed Memory - True False False
private_0x00000000054c0000 0x054c0000 0x055bffff Private Memory Readable, Writable True False False
private_0x0000000005760000 0x05760000 0x0576ffff Private Memory Readable, Writable True False False
sortdefault.nls 0x05770000 0x05aa6fff Memory Mapped File Readable False False False
wow64cpu.dll 0x5c9f0000 0x5c9f7fff Memory Mapped File Readable, Writable, Executable False False False
wow64win.dll 0x5ca00000 0x5ca72fff Memory Mapped File Readable, Writable, Executable False False False
wow64.dll 0x5ca80000 0x5cacefff Memory Mapped File Readable, Writable, Executable False False False
apphelp.dll 0x74190000 0x74220fff Memory Mapped File Readable, Writable, Executable False False False
msvcrt.dll 0x75b80000 0x75c3dfff Memory Mapped File Readable, Writable, Executable False False False
kernelbase.dll 0x75f20000 0x76095fff Memory Mapped File Readable, Writable, Executable False False False
kernel32.dll 0x76bc0000 0x76caffff Memory Mapped File Readable, Writable, Executable False False False
ntdll.dll 0x77190000 0x77308fff Memory Mapped File Readable, Writable, Executable False False False
sysmain.sdb 0x7efd0000 0x7f35ffff Memory Mapped File Readable False False False
pagefile_0x000000007f360000 0x7f360000 0x7f45ffff Pagefile Backed Memory Readable True False False
pagefile_0x000000007f460000 0x7f460000 0x7f482fff Pagefile Backed Memory Readable True False False
private_0x000000007f485000 0x7f485000 0x7f485fff Private Memory Readable, Writable True False False
private_0x000000007f487000 0x7f487000 0x7f489fff Private Memory Readable, Writable True False False
private_0x000000007f48a000 0x7f48a000 0x7f48cfff Private Memory Readable, Writable True False False
private_0x000000007f48d000 0x7f48d000 0x7f48dfff Private Memory Readable, Writable True False False
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False
private_0x000000007fff0000 0x7fff0000 0x7dfb3d30ffff Private Memory Readable True False False
pagefile_0x00007dfb3d310000 0x7dfb3d310000 0x7ffb3d30ffff Pagefile Backed Memory - True False False
ntdll.dll 0x7ffb3d310000 0x7ffb3d4d1fff Memory Mapped File Readable, Writable, Executable False False False
private_0x00007ffb3d4d2000 0x7ffb3d4d2000 0x7ffffffeffff Private Memory Readable True False False
Host Behavior
File (10)
+
Operation Filename Additional Information Success Count Logfile
Get Info C:\Windows\system32 type = file_attributes True 1
Fn
Get Info C:\Windows\System32 type = file_attributes True 1
Fn
Get Info "C:\Users\CIIHMN~1\AppData\Roaming\MICROS~1\Amsisigd\Chakmcat.exe" type = file_attributes False 1
Fn
Open STD_OUTPUT_HANDLE - True 5
Fn
Open STD_INPUT_HANDLE - True 2
Fn
Registry (17)
+
Operation Key Additional Information Success Count Logfile
Open Key HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Command Processor - True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DisableUNCCheck, data = 56, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = AutoRun, data = 64, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DisableUNCCheck, data = 64, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = AutoRun, data = 9, type = REG_NONE False 1
Fn
Process (1)
+
Operation Process Additional Information Success Count Logfile
Create C:\Users\CIIHMN~1\AppData\Roaming\MICROS~1\Amsisigd\Chakmcat.exe os_pid = 0xd68, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL True 1
Fn
Module (8)
+
Operation Module Additional Information Success Count Logfile
Get Handle c:\windows\syswow64\cmd.exe base_address = 0x1350000 True 1
Fn
Get Handle c:\windows\syswow64\kernel32.dll base_address = 0x76bc0000 True 2
Fn
Get Filename - process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadUILanguage, address_out = 0x76c02780 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CopyFileExW, address_out = 0x76bdfa80 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsDebuggerPresent, address_out = 0x76bda790 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetConsoleInputExeNameW, address_out = 0x760335c0 True 1
Fn
Environment (16)
+
Operation Additional Information Success Count Logfile
Get Environment String - True 6
Fn
Data
Get Environment String name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ True 1
Fn
Get Environment String name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC True 2
Fn
Get Environment String name = PROMPT, result_out = $P$G True 1
Fn
Get Environment String name = COMSPEC, result_out = C:\Windows\system32\cmd.exe True 1
Fn
Get Environment String name = KEYS False 1
Fn
Set Environment String name = =C:, value = C:\Windows\System32 True 1
Fn
Set Environment String name = COPYCMD True 1
Fn
Set Environment String name = =ExitCode, value = 00000000 True 1
Fn
Set Environment String name = =ExitCodeAscii True 1
Fn
Process #7: chakmcat.exe
(Host: 3709, Network: 0)
+
Information Value
ID #7
File Name c:\users\ciihmn~1\appdata\roaming\micros~1\amsisigd\chakmcat.exe
Command Line "C:\Users\CIIHMN~1\AppData\Roaming\MICROS~1\Amsisigd\Chakmcat.exe" "C:\Users\CIIHMN~1\AppData\Local\Temp\84526935.scr"
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:00:57, Reason: Child Process
Unmonitor End Time: 00:02:20, Reason: Terminated by Timeout
Monitor Duration 00:01:23
OS Process Information
+
Information Value
PID 0xd68
Parent PID 0xd80 (c:\windows\syswow64\cmd.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username LHNIWSJ\CIiHmnxMn6Ps
Groups
  • LHNIWSJ\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Local account and member of Administrators group (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • BUILTIN\Administrators (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, OWNER)
  • BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Local account (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Logon Session 00000000:00013d92 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID)
  • LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x D60
0x D5C
Region
+
Name Start VA End VA Type Permissions Monitored Dump YARA Match Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True True False
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False
private_0x0000000000020000 0x00020000 0x00023fff Private Memory Readable, Writable True False False
private_0x0000000000030000 0x00030000 0x00031fff Private Memory Readable, Writable True True False
private_0x0000000000030000 0x00030000 0x0003ffff Private Memory Readable, Writable True False False
pagefile_0x0000000000040000 0x00040000 0x00053fff Pagefile Backed Memory Readable True False False
private_0x0000000000060000 0x00060000 0x0009ffff Private Memory Readable, Writable True False False
private_0x00000000000a0000 0x000a0000 0x0019ffff Private Memory Readable, Writable True False False
pagefile_0x00000000001a0000 0x001a0000 0x001a3fff Pagefile Backed Memory Readable True False False
pagefile_0x00000000001b0000 0x001b0000 0x001b0fff Pagefile Backed Memory Readable True False False
private_0x00000000001c0000 0x001c0000 0x001c1fff Private Memory Readable, Writable True False False
private_0x00000000001d0000 0x001d0000 0x002cffff Private Memory Readable, Writable True False False
private_0x00000000002d0000 0x002d0000 0x002d0fff Private Memory Readable, Writable True False False
private_0x00000000002e0000 0x002e0000 0x002effff Private Memory Readable, Writable True False False
locale.nls 0x002f0000 0x003adfff Memory Mapped File Readable False False False
private_0x00000000003b0000 0x003b0000 0x003effff Private Memory Readable, Writable True False False
private_0x00000000003f0000 0x003f0000 0x003f0fff Private Memory Readable, Writable True False False
chakmcat.exe 0x00400000 0x004a1fff Memory Mapped File Readable, Writable, Executable True False False
private_0x00000000004b0000 0x004b0000 0x005affff Private Memory Readable, Writable True False False
pagefile_0x00000000005b0000 0x005b0000 0x00737fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000740000 0x00740000 0x008c0fff Pagefile Backed Memory Readable True False False
pagefile_0x00000000008d0000 0x008d0000 0x01ccffff Pagefile Backed Memory Readable True False False
private_0x0000000001cd0000 0x01cd0000 0x01e2ffff Private Memory Readable, Writable True True False
private_0x0000000001cd0000 0x01cd0000 0x01d2cfff Private Memory Readable, Writable, Executable True False False
private_0x0000000001d30000 0x01d30000 0x01d68fff Private Memory Readable, Writable, Executable True False False
private_0x0000000001d70000 0x01d70000 0x01d70fff Private Memory Readable, Writable, Executable True False False
private_0x0000000001d80000 0x01d80000 0x01db8fff Private Memory Readable, Writable True False False
private_0x0000000001dc0000 0x01dc0000 0x01dc0fff Private Memory Readable, Writable True True False
private_0x0000000001dc0000 0x01dc0000 0x01dc0fff Private Memory Readable, Writable True True False
private_0x0000000001dc0000 0x01dc0000 0x01dc0fff Private Memory Readable, Writable True True False
private_0x0000000001dc0000 0x01dc0000 0x01dc0fff Private Memory Readable, Writable True True False
private_0x0000000001dc0000 0x01dc0000 0x01dc0fff Private Memory Readable, Writable True True False
private_0x0000000001dc0000 0x01dc0000 0x01dc0fff Private Memory Readable, Writable True True False
private_0x0000000001dc0000 0x01dc0000 0x01dc0fff Private Memory Readable, Writable True False False
private_0x0000000001e20000 0x01e20000 0x01e2ffff Private Memory Readable, Writable True False False
oleaut32.dll 0x01e30000 0x01ec0fff Memory Mapped File Readable False False False
private_0x0000000001e30000 0x01e30000 0x022cffff Private Memory Readable, Writable True True False
sortdefault.nls 0x022d0000 0x02606fff Memory Mapped File Readable False False False
private_0x0000000002610000 0x02610000 0x0270ffff Private Memory Readable, Writable True False False
private_0x0000000002710000 0x02710000 0x028d1fff Private Memory Readable, Writable True False False
pagefile_0x0000000002710000 0x02710000 0x027a1fff Pagefile Backed Memory Readable, Writable, Executable True False False
private_0x00000000027b0000 0x027b0000 0x02971fff Private Memory Readable, Writable True False False
wow64cpu.dll 0x5c9f0000 0x5c9f7fff Memory Mapped File Readable, Writable, Executable False False False
wow64win.dll 0x5ca00000 0x5ca72fff Memory Mapped File Readable, Writable, Executable False False False
wow64.dll 0x5ca80000 0x5cacefff Memory Mapped File Readable, Writable, Executable False False False
apphelp.dll 0x74190000 0x74220fff Memory Mapped File Readable, Writable, Executable False False False
bcryptprimitives.dll 0x74230000 0x74288fff Memory Mapped File Readable, Writable, Executable False False False
cryptbase.dll 0x74290000 0x74299fff Memory Mapped File Readable, Writable, Executable False False False
sspicli.dll 0x742a0000 0x742bdfff Memory Mapped File Readable, Writable, Executable False False False
user32.dll 0x74500000 0x7463ffff Memory Mapped File Readable, Writable, Executable False False False
ole32.dll 0x74640000 0x74729fff Memory Mapped File Readable, Writable, Executable False False False
imm32.dll 0x74730000 0x7475afff Memory Mapped File Readable, Writable, Executable False False False
shell32.dll 0x74760000 0x75b1efff Memory Mapped File Readable, Writable, Executable False False False
msvcrt.dll 0x75b80000 0x75c3dfff Memory Mapped File Readable, Writable, Executable False False False
powrprof.dll 0x75c40000 0x75c83fff Memory Mapped File Readable, Writable, Executable False False False
advapi32.dll 0x75d40000 0x75dbafff Memory Mapped File Readable, Writable, Executable False False False
shlwapi.dll 0x75dc0000 0x75e03fff Memory Mapped File Readable, Writable, Executable False False False
rpcrt4.dll 0x75e70000 0x75f1bfff Memory Mapped File Readable, Writable, Executable False False False
kernelbase.dll 0x75f20000 0x76095fff Memory Mapped File Readable, Writable, Executable False False False
sechost.dll 0x760a0000 0x760e2fff Memory Mapped File Readable, Writable, Executable False False False
shcore.dll 0x76280000 0x7630cfff Memory Mapped File Readable, Writable, Executable False False False
windows.storage.dll 0x764d0000 0x769acfff Memory Mapped File Readable, Writable, Executable False False False
gdi32.dll 0x769b0000 0x76afcfff Memory Mapped File Readable, Writable, Executable False False False
kernel32.dll 0x76bc0000 0x76caffff Memory Mapped File Readable, Writable, Executable False False False
combase.dll 0x76cf0000 0x76ea9fff Memory Mapped File Readable, Writable, Executable False False False
kernel.appcore.dll 0x76eb0000 0x76ebbfff Memory Mapped File Readable, Writable, Executable False False False
profapi.dll 0x77050000 0x7705efff Memory Mapped File Readable, Writable, Executable False False False
msctf.dll 0x77070000 0x7718ffff Memory Mapped File Readable, Writable, Executable False False False
ntdll.dll 0x77190000 0x77308fff Memory Mapped File Readable, Writable, Executable False False False
pagefile_0x000000007feb0000 0x7feb0000 0x7ffaffff Pagefile Backed Memory Readable True False False
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory Readable True False False
private_0x000000007ffd8000 0x7ffd8000 0x7ffdafff Private Memory Readable, Writable True False False
private_0x000000007ffdb000 0x7ffdb000 0x7ffddfff Private Memory Readable, Writable True False False
private_0x000000007ffde000 0x7ffde000 0x7ffdefff Private Memory Readable, Writable True False False
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory Readable, Writable True False False
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False
private_0x000000007fff0000 0x7fff0000 0x7ffb3d30ffff Private Memory Readable True False False
ntdll.dll 0x7ffb3d310000 0x7ffb3d4d1fff Memory Mapped File Readable, Writable, Executable False False False
private_0x00007ffb3d4d2000 0x7ffb3d4d2000 0x7ffffffeffff Private Memory Readable True False False
Host Behavior
File (3507)
+
Operation Filename Additional Information Success Count Logfile
Create C:\Users\CIIHMN~1\AppData\Local\Temp\12A3.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\12A4.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\12A5.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\12A6.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\12B7.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\12B8.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\12B9.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\12BA.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\12CB.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\12CC.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\12CD.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\12DD.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\12EE.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\12EF.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\12F0.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\12F1.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\12F2.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1302.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1303.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1304.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1305.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1316.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1317.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1318.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1319.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\131A.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\132B.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\132C.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\132D.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\132E.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\133E.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\133F.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1340.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1341.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1352.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1353.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1354.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1355.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1375.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1376.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1387.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1388.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1389.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\138A.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\138B.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\139B.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\139C.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\139D.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\139E.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\13AF.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\13B0.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\13B1.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\13B2.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\13B3.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\13C4.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\13C5.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\13D5.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\13D6.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\13D7.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\13D8.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\13E9.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\13EA.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\13EB.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\13EC.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\13FD.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\13FE.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\13FF.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1400.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1401.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1411.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1412.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1413.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1414.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1425.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1435.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1436.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1437.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1448.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1459.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\145A.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\146A.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\146B.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\146C.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\146D.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\146E.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\147F.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1480.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1481.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1482.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1493.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1494.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1495.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1496.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1497.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\14A7.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\14A8.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\14A9.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\14AA.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\14AB.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\14BC.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\14BD.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\14BE.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\14BF.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\14C0.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\14D0.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\14D1.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\14D2.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\14D3.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\14D4.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\14E5.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\14E6.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\14E7.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\14E8.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\14E9.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\14FA.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\14FB.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\14FC.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\14FD.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\14FE.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\150E.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\150F.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1510.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1511.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1512.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1523.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1524.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1525.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1526.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1527.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1528.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1539.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\153A.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\153B.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\153C.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\154C.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\154D.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\154E.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\154F.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1560.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1561.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1562.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1563.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1564.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1574.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1575.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1576.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1577.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1578.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1579.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\158A.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\158B.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\158C.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\158D.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\158E.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\159F.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\15A0.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\15A1.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\15A2.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\15B2.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\15B3.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\15B4.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\15B5.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\15C6.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\15C7.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\15C8.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\15C9.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\15CA.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\15DB.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\15DC.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\15DD.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\15DE.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\15EE.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\15EF.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\15F0.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\15F1.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\15F2.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\15F3.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1604.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1605.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1606.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1607.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1617.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1618.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1619.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\161A.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\161B.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\162C.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\162D.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\162E.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\162F.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1630.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1631.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1642.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1643.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1644.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1645.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1646.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1656.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1657.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1658.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1659.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\165A.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\166B.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\166C.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\166D.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\166E.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\166F.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1670.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1681.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1682.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1683.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1684.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1685.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1695.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1696.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1697.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1698.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1699.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\16AA.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\16AB.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\16AC.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\16AD.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\16AE.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\16BE.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\16BF.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\16C0.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\16C1.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\16C2.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\16D3.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\16D4.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\16D5.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\16D6.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\16D7.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\16E8.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\16E9.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\16EA.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\16EB.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\16EC.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\16ED.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\16FD.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\16FE.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\16FF.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1700.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1701.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1712.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1713.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1714.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1715.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1716.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1727.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1728.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1729.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\172A.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\172B.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\173B.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\174C.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\174D.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\174E.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\174F.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1750.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1760.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1761.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1762.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1763.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1764.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1775.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1776.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1777.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1778.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1779.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\177A.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\179A.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\17AB.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\17AC.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\17AD.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\17AE.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\17BF.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\17C0.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\17D0.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\17E1.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\17E2.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\17E3.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\17E4.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\17E5.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\17F5.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\17F6.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\17F7.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\17F8.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\17F9.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\180A.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\180B.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\180C.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\180D.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\180E.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\181F.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1820.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1821.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1822.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1823.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1833.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1834.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1835.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1836.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1837.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1848.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1849.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\184A.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\184B.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\185C.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\185D.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\186D.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\186E.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\186F.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1870.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1871.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1872.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1883.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1884.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1885.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1886.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1896.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1897.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1898.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1899.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\18AA.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\18AB.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\18AC.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\18AD.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\18AE.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\18BF.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\18C0.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\18D0.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\18D1.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\18D2.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\18D3.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\18D4.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\18E5.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\18E6.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\18E7.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\18E8.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\18E9.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\18FA.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\18FB.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\18FC.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\18FD.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\18FE.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\18FF.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\190F.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1910.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1911.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1912.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1913.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1924.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1925.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1926.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1927.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1928.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1938.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1939.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\193A.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\193B.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\193C.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\194D.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\194E.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\194F.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1950.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1951.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1962.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1963.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1964.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1965.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1975.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1976.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1987.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1988.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1989.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\198A.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\199B.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\199C.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\199D.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\199E.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\199F.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\19AF.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\19B0.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\19B1.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\19B2.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\19B3.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\19C4.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\19C5.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\19C6.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\19C7.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\19C8.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\19D8.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\19D9.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\19DA.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\19DB.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\19DC.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\19ED.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\19EE.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\19EF.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\19F0.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1A01.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1A02.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1A03.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1A04.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1A05.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1A15.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1A16.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1A17.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1A18.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1A19.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1A2A.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1A2B.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1A2C.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1A2D.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1A2E.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1A3F.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1A40.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1A41.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1A51.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1A52.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1A53.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1A54.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1A55.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1A66.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1A67.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1A68.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1A69.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1A6A.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1A7A.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1A7B.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1A7C.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1A7D.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1A7E.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1A8F.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1A90.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1A91.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1A92.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1A93.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1A94.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1AA5.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1AA6.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1AA7.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1AA8.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1AA9.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1AB9.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1ABA.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1ABB.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1ACC.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1ACD.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1ACE.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1ACF.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1AD0.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1AE1.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1AE2.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1AE3.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1AE4.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1AE5.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1AF5.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1AF6.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1AF7.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1AF8.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1AF9.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1B0A.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1B0B.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1B0C.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1B0D.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1B0E.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1B1E.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1B1F.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1B20.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1B21.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1B22.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1B33.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1B34.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1B35.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1B36.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1B37.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1B48.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1B49.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1B4A.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1B4B.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1B4C.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1B5C.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1B5D.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1B6E.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1B6F.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1B70.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1B71.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1B72.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1B83.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1B84.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1B85.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1B86.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1B96.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1B97.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1B98.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1BA9.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1BAA.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1BAB.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1BAC.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1BAD.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1BBD.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1BBE.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1BBF.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1BC0.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1BC1.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1BD2.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1BD3.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1BD4.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1BD5.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1BD6.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1BE7.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1BE8.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1BE9.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1BF9.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1BFA.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1BFB.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1BFC.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1C0D.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1C0E.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1C0F.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1C10.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1C21.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1C22.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1C23.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1C33.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1C34.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1C35.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1C36.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1C37.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1C48.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1C49.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1C4A.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1C4B.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1C5B.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1C5C.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1C5D.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1C5E.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1C5F.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1C70.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1C71.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1C72.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1C73.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1C74.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1C85.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1C86.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1C87.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1C88.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1C98.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1C99.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1C9A.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1C9B.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1C9C.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1CAD.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1CAE.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1CAF.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1CB0.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1CB1.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1CC2.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1CC3.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1CD3.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1CD4.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1CD5.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1CE6.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1CE7.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1CE8.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1CE9.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1CF9.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1CFA.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1CFB.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1CFC.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1CFD.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1D0E.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1D0F.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1D10.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1D11.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1D12.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1D13.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1D14.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1D44.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1D45.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1D46.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1D47.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1D48.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1D68.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1D79.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1D89.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1D8A.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1D8B.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1D8C.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1D8D.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1D8E.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1D8F.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1DA0.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1DA1.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1DA2.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1DA3.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1DA4.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1DA5.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1DA6.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1DC6.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1DC7.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1DC8.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1DC9.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1DDA.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1DDB.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1DDC.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1DDD.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1DDE.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1DDF.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1DE0.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1DF1.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1DF2.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1DF3.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1DF4.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1DF5.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1DF6.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1E06.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1E07.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1E08.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1E09.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1E0A.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1E0B.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1E0C.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1E2C.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1E2D.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1E2E.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1E2F.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1E30.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1E31.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1E32.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1E43.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1E44.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1E45.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1E46.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1E47.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1E48.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1E49.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1E5A.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1E5B.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1E5C.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1E5D.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1E5E.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1E5F.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1E6F.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1E70.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1E71.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1E72.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1E73.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1E74.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1E75.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1E86.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1E87.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1E88.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1E89.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1E8A.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1E8B.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1E8C.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1E9D.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1E9E.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1E9F.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1EA0.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1EA1.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1EA2.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1EB2.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1EB3.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1EB4.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1EB5.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1EB6.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1EB7.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1EB8.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1EC9.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1ECA.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1ECB.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1ECC.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1ECD.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1ECE.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1ECF.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1EDF.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1EE0.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1EE1.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1EE2.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1EE3.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1EE4.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1EE5.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1EF6.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1EF7.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1EF8.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1EF9.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1EFA.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1EFB.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1F0C.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1F0D.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1F0E.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1F0F.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1F10.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1F11.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1F21.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Windows\system32\c_1252.nls desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 3
Fn
Create Directory C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft - False 1
Fn
Create Directory C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Amsisigd - False 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\12A3.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\12A4.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\12A5.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\12A6.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\12B7.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\12B8.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\12B9.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\12BA.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\12CB.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\12CC.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\12CD.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\12DD.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\12EE.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\12EF.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\12F0.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\12F1.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\12F2.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\1302.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\1303.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\1304.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\1305.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\1316.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\1317.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\1318.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\1319.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\131A.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\132B.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\132C.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\132D.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\132E.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\133E.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\133F.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\1340.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\1341.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\1352.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\1353.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\1354.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\1355.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\1375.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\1376.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\1387.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\1388.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\1389.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\138A.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\138B.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\139B.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\139C.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\139D.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\139E.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\13AF.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\13B0.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\13B1.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\13B2.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\13B3.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\13C4.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\13C5.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\13D5.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\13D6.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\13D7.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\13D8.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\13E9.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\13EA.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\13EB.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\13EC.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\13FD.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\13FE.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\13FF.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\1400.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\1401.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\1411.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\1412.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\1413.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\1414.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\1425.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\1435.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\1436.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\1437.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\1448.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\1459.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\145A.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\146A.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\146B.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\146C.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\146D.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\146E.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\147F.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\1480.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\1481.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\1482.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\1493.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\1494.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\1495.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\1496.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\1497.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\14A7.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\14A8.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\14A9.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\14AA.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\14AB.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\14BC.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\14BD.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\14BE.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\14BF.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\14C0.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\14D0.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\14D1.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\14D2.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\14D3.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\14D4.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\14E5.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\14E6.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\14E7.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\14E8.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\14E9.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\14FA.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\14FB.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\14FC.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\14FD.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\14FE.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\150E.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\150F.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\1510.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\1511.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\1512.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\1523.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\1524.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\1525.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\1526.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\1527.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\1528.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\1539.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\153A.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\153B.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\153C.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\154C.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\154D.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\154E.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\154F.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\1560.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\1561.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\1562.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\1563.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\1564.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\1574.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\1575.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\1576.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\1577.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\1578.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\1579.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\158A.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\158B.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\158C.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\158D.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\158E.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\159F.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\15A0.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\15A1.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\15A2.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\15B2.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\15B3.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\15B4.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\15B5.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\15C6.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\15C7.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\15C8.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\15C9.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\15CA.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\15DB.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\15DC.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\15DD.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\15DE.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\15EE.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\15EF.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\15F0.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\15F1.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\15F2.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\15F3.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\1604.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\1605.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\1606.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\1607.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\1617.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\1618.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\1619.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\161A.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\161B.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\162C.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\162D.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\162E.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\162F.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\1630.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\1631.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\1642.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\1643.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\1644.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\1645.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\1646.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\1656.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\1657.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\1658.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\1659.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\165A.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\166B.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\166C.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\166D.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\166E.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\166F.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\1670.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\1681.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\1682.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\1683.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\1684.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\1685.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\1695.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\1696.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\1697.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\1698.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\1699.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\16AA.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\16AB.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\16AC.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\16AD.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\16AE.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\16BE.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\16BF.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\16C0.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\16C1.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\16C2.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\16D3.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\16D4.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\16D5.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\16D6.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\16D7.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\16E8.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\16E9.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\16EA.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\16EB.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\16EC.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\16ED.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\16FD.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\16FE.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\16FF.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\1700.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\1701.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\1712.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\1713.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\1714.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\1715.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\1716.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\1727.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\1728.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\1729.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\172A.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\172B.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\173B.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\174C.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\174D.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\174E.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\174F.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\1750.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\1760.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\1761.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\1762.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\1763.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\1764.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\1775.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\1776.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\1777.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\1778.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\1779.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\177A.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\179A.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\17AB.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\17AC.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\17AD.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\17AE.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\17BF.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\17C0.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\17D0.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\17E1.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\17E2.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\17E3.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\17E4.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\17E5.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\17F5.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\17F6.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\17F7.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\17F8.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\17F9.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\180A.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\180B.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\180C.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\180D.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\180E.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\181F.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\1820.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\1821.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\1822.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
For performance reasons, the remaining 2505 entries are omitted.
The remaining entries can be found in glog.xml.
Registry (10)
+
Operation Key Additional Information Success Count Logfile
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run - True 1
Fn
Open Key HKEY_USERS - True 1
Fn
Open Key HKEY_USERS\S-1-5-21-1462094071-1423818996-289466292-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders - True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run value_name = Accocca, data = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Amsisigd\Chakmcat.exe, type = REG_SZ True 1
Fn
Read Value HKEY_USERS\S-1-5-21-1462094071-1423818996-289466292-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders value_name = AppData, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_USERS\S-1-5-21-1462094071-1423818996-289466292-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders value_name = AppData, data = C:\Users\CIiHmnxMn6Ps\AppData\Roaming, type = REG_SZ True 1
Fn
Enumerate Keys HKEY_USERS - True 1
Fn
Enumerate Keys HKEY_USERS - True 1
Fn
Enumerate Keys HKEY_USERS - True 1
Fn
Enumerate Keys HKEY_USERS - True 1
Fn
Process (4)
+
Operation Process Additional Information Success Count Logfile
Create C:\Windows\system32\svchost.exe os_pid = 0xd84, creation_flags = CREATE_SUSPENDED, CREATE_DEFAULT_ERROR_MODE, show_window = SW_HIDE True 1
Fn
Open c:\windows\explorer.exe desired_access = PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\windows\explorer.exe desired_access = PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\windows\explorer.exe desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_SET_SESSIONID, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_DUP_HANDLE, PROCESS_CREATE_PROCESS, PROCESS_SET_QUOTA, PROCESS_SET_INFORMATION, PROCESS_QUERY_INFORMATION, PROCESS_SUSPEND_RESUME, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE True 1
Fn
Thread (6)
+
Operation Process Additional Information Success Count Logfile
Suspend c:\users\ciihmn~1\appdata\roaming\micros~1\amsisigd\chakmcat.exe os_tid = 0xd60 True 1
Fn
Get Context c:\users\ciihmn~1\appdata\roaming\micros~1\amsisigd\chakmcat.exe os_tid = 0xd60 True 2
Fn
Set Context c:\users\ciihmn~1\appdata\roaming\micros~1\amsisigd\chakmcat.exe os_tid = 0xd60 True 1
Fn
Resume c:\users\ciihmn~1\appdata\roaming\micros~1\amsisigd\chakmcat.exe os_tid = 0xd60 True 2
Fn
Memory (1)
+
Operation Process Additional Information Success Count Logfile
Write C:\Windows\system32\svchost.exe address = 0x300000, size = 792 True 1
Fn
Data
Module (177)
+
Operation Module Additional Information Success Count Logfile
Load ntdll.dll base_address = 0x77190000 True 1
Fn
Load SHLWAPI.dll base_address = 0x75dc0000 True 1
Fn
Load KERNEL32.dll base_address = 0x76bc0000 True 1
Fn
Load USER32.dll base_address = 0x74500000 True 1
Fn
Load ADVAPI32.dll base_address = 0x75d40000 True 1
Fn
Load SHELL32.dll base_address = 0x74760000 True 1
Fn
Load ole32.dll base_address = 0x74640000 True 1
Fn
Load USER32.DLL base_address = 0x74500000 True 1
Fn
Get Handle c:\windows\syswow64\kernel32.dll base_address = 0x76bc0000 True 13
Fn
Get Handle c:\users\ciihmn~1\appdata\roaming\micros~1\amsisigd\chakmcat.exe base_address = 0x400000 True 1
Fn
Get Handle c:\windows\syswow64\user32.dll base_address = 0x74500000 True 1
Fn
Get Handle c:\windows\syswow64\ntdll.dll base_address = 0x77190000 True 1
Fn
Get Filename - process_name = c:\users\ciihmn~1\appdata\roaming\micros~1\amsisigd\chakmcat.exe, file_name_orig = C:\Users\CIIHMN~1\AppData\Roaming\MICROS~1\Amsisigd\Chakmcat.exe, size = 260 True 1
Fn
Get Filename c:\users\ciihmn~1\appdata\roaming\micros~1\amsisigd\chakmcat.exe process_name = c:\users\ciihmn~1\appdata\roaming\micros~1\amsisigd\chakmcat.exe, file_name_orig = C:\Users\CIIHMN~1\AppData\Roaming\MICROS~1\Amsisigd\Chakmcat.exe, size = 260 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsAlloc, address_out = 0x76bda330 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsGetValue, address_out = 0x76bd7580 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsSetValue, address_out = 0x76bd9910 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsFree, address_out = 0x76bdf400 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EncodePointer, address_out = 0x771ef190 True 8
Fn
Get Address c:\windows\syswow64\kernel32.dll function = DecodePointer, address_out = 0x771ea200 True 3
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualAlloc, address_out = 0x76bd8b70 True 2
Fn
Get Address c:\windows\syswow64\ntdll.dll function = ZwClose, address_out = 0x771f8cb0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = ZwQueryInformationToken, address_out = 0x771f8df0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = RtlNtStatusToDosError, address_out = 0x771e3010 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = ZwOpenProcess, address_out = 0x771f8e40 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = ZwQueryInformationProcess, address_out = 0x771f8d50 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = mbstowcs, address_out = 0x771fe610 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = memset, address_out = 0x771fee50 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = memcpy, address_out = 0x771fe7b0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtQuerySystemInformation, address_out = 0x771f8f40 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtUnmapViewOfSection, address_out = 0x771f8e80 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtMapViewOfSection, address_out = 0x771f8e60 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = RtlUpcaseUnicodeString, address_out = 0x771de040 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtCreateSection, address_out = 0x771f9080 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = ZwOpenProcessToken, address_out = 0x771f9d20 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = RtlFreeUnicodeString, address_out = 0x771cb940 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = RtlUnwind, address_out = 0x771eaca0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtQueryVirtualMemory, address_out = 0x771f8e10 True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathFindExtensionW, address_out = 0x75dd7c40 True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = StrRChrA, address_out = 0x75de2900 True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathFindExtensionA, address_out = 0x75de1db0 True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = StrChrA, address_out = 0x75de26c0 True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathCombineW, address_out = 0x75ddcd50 True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathFindFileNameW, address_out = 0x75dd80d0 True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = StrChrW, address_out = 0x75dd6a00 True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = StrTrimW, address_out = 0x75dd83a0 True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathFindFileNameA, address_out = 0x75dd8970 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ResetEvent, address_out = 0x76be60b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseHandle, address_out = 0x76be5f20 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LoadLibraryA, address_out = 0x76bdd8d0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateEventA, address_out = 0x76be5f70 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateWaitableTimerA, address_out = 0x76bddb30 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTickCount, address_out = 0x76be57f0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateProcessA, address_out = 0x76c00960 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetFileAttributesW, address_out = 0x76be6510 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = DeleteFileA, address_out = 0x76be61a0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WriteFile, address_out = 0x76be6590 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapAlloc, address_out = 0x771cda90 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetEvent, address_out = 0x76be60c0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileTime, address_out = 0x76be6380 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetProcAddress, address_out = 0x76bd7940 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLastError, address_out = 0x76bd2db0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcatW, address_out = 0x76bfd320 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = Sleep, address_out = 0x76bd77b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateFileA, address_out = 0x76be6170 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcmpiW, address_out = 0x76bd7540 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapFree, address_out = 0x76bd25e0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrlenW, address_out = 0x76bd2d80 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetWaitableTimer, address_out = 0x76be60d0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCommandLineW, address_out = 0x76bda4b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ExitProcess, address_out = 0x76be74f0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleHandleA, address_out = 0x76bd9640 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapCreate, address_out = 0x76bd9950 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapDestroy, address_out = 0x76bdd940 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WaitForSingleObject, address_out = 0x76be6110 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetSystemTimeAsFileTime, address_out = 0x76bd2b90 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = DeleteFileW, address_out = 0x76be61b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ExpandEnvironmentStringsA, address_out = 0x76c00da0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualProtectEx, address_out = 0x76c02a00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ResumeThread, address_out = 0x76bda280 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SuspendThread, address_out = 0x76bded00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcmpA, address_out = 0x76bdc1f0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTempFileNameA, address_out = 0x76be63f0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateDirectoryA, address_out = 0x76be6140 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTempPathA, address_out = 0x76be6410 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentThreadId, address_out = 0x76bd1b90 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileSize, address_out = 0x76be6360 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcpynA, address_out = 0x76bdf7b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindNextFileA, address_out = 0x76be6270 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CompareFileTime, address_out = 0x76be6130 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLongPathNameW, address_out = 0x76bd47c0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = OpenProcess, address_out = 0x76bd92b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetVersion, address_out = 0x76bda300 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcessId, address_out = 0x76bd1d90 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindClose, address_out = 0x76be61d0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcpyA, address_out = 0x76bde320 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ExpandEnvironmentStringsW, address_out = 0x76bdc8c0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcatA, address_out = 0x76bdefc0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrlenA, address_out = 0x76be3a30 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetFilePointer, address_out = 0x76be6530 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ReadFile, address_out = 0x76be64a0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleFileNameW, address_out = 0x76bd9560 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleFileNameA, address_out = 0x76bda040 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateFileW, address_out = 0x76be6180 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetLastError, address_out = 0x76bd2af0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualFree, address_out = 0x76bd8c70 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcmpiA, address_out = 0x76bd7610 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetEndOfFile, address_out = 0x76be64f0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcpyW, address_out = 0x76bfd410 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateDirectoryW, address_out = 0x76be6150 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlushFileBuffers, address_out = 0x76be62a0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LocalFree, address_out = 0x76bd87c0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindFirstFileA, address_out = 0x76be6210 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = wsprintfW, address_out = 0x7452ddf0 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = wsprintfA, address_out = 0x7452ea00 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegQueryValueExA, address_out = 0x75d5ee40 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = ConvertStringSecurityDescriptorToSecurityDescriptorA, address_out = 0x75d8bda0 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegOpenKeyA, address_out = 0x75d631a0 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = GetTokenInformation, address_out = 0x75d5ed40 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = OpenProcessToken, address_out = 0x75d5ee90 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = GetSidSubAuthority, address_out = 0x75d60ea0 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegCreateKeyA, address_out = 0x75d63150 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegSetValueExW, address_out = 0x75d5f0a0 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegSetValueExA, address_out = 0x75d60750 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegDeleteValueW, address_out = 0x75d60ca0 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegOpenKeyW, address_out = 0x75d5f590 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegEnumKeyExA, address_out = 0x75d62520 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegCloseKey, address_out = 0x75d5efa0 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegQueryValueExW, address_out = 0x75d5ed60 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegOpenKeyExA, address_out = 0x75d5f000 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = GetSidSubAuthorityCount, address_out = 0x75d60f50 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = ShellExecuteExW, address_out = 0x748f4cb0 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = ShellExecuteW, address_out = 0x748f4370 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = 92, address_out = 0x749d7560 True 1
Fn
Get Address c:\windows\syswow64\ole32.dll function = CoInitializeEx, address_out = 0x76d5cd50 True 1
Fn
Get Address c:\windows\syswow64\ole32.dll function = CoUninitialize, address_out = 0x76d5dca0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsWow64Process, address_out = 0x76bd96e0 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = FindWindowA, address_out = 0x74530980 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = GetWindowThreadProcessId, address_out = 0x7451ba70 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = ZwWow64QueryInformationProcess64, address_out = 0x771fa840 True 13
Fn
Create Mapping - protection = PAGE_EXECUTE_READWRITE, maximum_size = 1701360 True 1
Fn
Map - process_name = c:\users\ciihmn~1\appdata\roaming\micros~1\amsisigd\chakmcat.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x2710000 True 1
Fn
Map - process_name = C:\Windows\system32\svchost.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x260000 True 1
Fn
Window (1)
+
Operation Window Name Additional Information Success Count Logfile
Find - class_name = ProgMan True 1
Fn
System (1)
+
Operation Additional Information Success Count Logfile
Get Info type = Operating System True 1
Fn
Environment (1)
+
Operation Additional Information Success Count Logfile
Get Environment String - True 1
Fn
Data
Process #8: svchost.exe
(Host: 268, Network: 0)
+
Information Value
ID #8
File Name c:\windows\system32\svchost.exe
Command Line C:\Windows\system32\svchost.exe
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:01:01, Reason: Child Process
Unmonitor End Time: 00:02:20, Reason: Terminated by Timeout
Monitor Duration 00:01:19
OS Process Information
+
Information Value
PID 0xd84
Parent PID 0xd68 (c:\users\ciihmn~1\appdata\roaming\micros~1\amsisigd\chakmcat.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username LHNIWSJ\CIiHmnxMn6Ps
Groups
  • LHNIWSJ\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Local account and member of Administrators group (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • BUILTIN\Administrators (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, OWNER)
  • BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Local account (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Logon Session 00000000:00013d92 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID)
  • LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x D88
0x CBC
0x 9A4
0x DD8
Region
+
Name Start VA End VA Type Permissions Monitored Dump YARA Match Actions
pagefile_0x0000000000260000 0x00260000 0x002f1fff Pagefile Backed Memory Readable, Writable, Executable True False False
private_0x0000000000300000 0x00300000 0x00300fff Private Memory Readable, Writable, Executable True False False
private_0x000000007f766000 0x7f766000 0x7f766fff Private Memory Readable, Writable True False False
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False
private_0x0000006c8b260000 0x6c8b260000 0x6c8b27ffff Private Memory Readable, Writable True False False
pagefile_0x0000006c8b260000 0x6c8b260000 0x6c8b26ffff Pagefile Backed Memory Readable, Writable True False False
private_0x0000006c8b270000 0x6c8b270000 0x6c8b271fff Private Memory Readable, Writable True False False
svchost.exe.mui 0x6c8b270000 0x6c8b270fff Memory Mapped File Readable False False False
pagefile_0x0000006c8b280000 0x6c8b280000 0x6c8b293fff Pagefile Backed Memory Readable True False False
private_0x0000006c8b2a0000 0x6c8b2a0000 0x6c8b31ffff Private Memory Readable, Writable True False False
pagefile_0x0000006c8b320000 0x6c8b320000 0x6c8b323fff Pagefile Backed Memory Readable True False False
pagefile_0x0000006c8b330000 0x6c8b330000 0x6c8b330fff Pagefile Backed Memory Readable True False False
private_0x0000006c8b340000 0x6c8b340000 0x6c8b341fff Private Memory Readable, Writable True False False
locale.nls 0x6c8b350000 0x6c8b40dfff Memory Mapped File Readable False False False
imm32.dll 0x6c8b410000 0x6c8b443fff Memory Mapped File Readable False False False
private_0x0000006c8b410000 0x6c8b410000 0x6c8b410fff Private Memory Readable, Writable True False False
private_0x0000006c8b420000 0x6c8b420000 0x6c8b420fff Private Memory Readable, Writable True False False
private_0x0000006c8b450000 0x6c8b450000 0x6c8b456fff Private Memory Readable, Writable True False False
private_0x0000006c8b460000 0x6c8b460000 0x6c8b4dffff Private Memory Readable, Writable True False False
private_0x0000006c8b500000 0x6c8b500000 0x6c8b5fffff Private Memory Readable, Writable True False False
private_0x0000006c8b600000 0x6c8b600000 0x6c8b648fff Private Memory Readable, Writable True False False
private_0x0000006c8b650000 0x6c8b650000 0x6c8b84ffff Private Memory Readable, Writable True False False
pagefile_0x0000006c8b650000 0x6c8b650000 0x6c8b6e1fff Pagefile Backed Memory Readable, Writable, Executable True False False
private_0x0000006c8b700000 0x6c8b700000 0x6c8b7fffff Private Memory Readable, Writable True False False
ole32.dll 0x6c8b800000 0x6c8b940fff Memory Mapped File Readable False False False
private_0x0000006c8b800000 0x6c8b800000 0x6c8b9d8fff Private Memory Readable, Writable True False False
pagefile_0x0000006c8b800000 0x6c8b800000 0x6c8b987fff Pagefile Backed Memory Readable True False False
private_0x0000006c8b9d0000 0x6c8b9d0000 0x6c8b9d8fff Private Memory Readable, Writable True False False
private_0x0000006c8b9e0000 0x6c8b9e0000 0x6c8bbdffff Private Memory Readable, Writable True False False
private_0x0000006c8ba00000 0x6c8ba00000 0x6c8bafffff Private Memory Readable, Writable True False False
private_0x0000006c8bb00000 0x6c8bb00000 0x6c8bcfffff Private Memory Readable, Writable True False False
private_0x0000006c8bb00000 0x6c8bb00000 0x6c8bbfffff Private Memory Readable, Writable True False False
private_0x0000006c8bc00000 0x6c8bc00000 0x6c8bdfffff Private Memory Readable, Writable True False False
private_0x0000006c8bc00000 0x6c8bc00000 0x6c8bcfffff Private Memory Readable, Writable True False False
private_0x0000006c8bd00000 0x6c8bd00000 0x6c8befffff Private Memory Readable, Writable True False False
private_0x0000006c8bd00000 0x6c8bd00000 0x6c8bdfffff Private Memory Readable, Writable True False False
pagefile_0x0000006c8be00000 0x6c8be00000 0x6c8bf80fff Pagefile Backed Memory Readable True False False
pagefile_0x0000006c8bf90000 0x6c8bf90000 0x6c8d38ffff Pagefile Backed Memory Readable True False False
sortdefault.nls 0x6c8d390000 0x6c8d6c6fff Memory Mapped File Readable False False False
pagefile_0x00007df5ffc50000 0x7df5ffc50000 0x7ff5ffc4ffff Pagefile Backed Memory - True False False
pagefile_0x00007ff6c6f90000 0x7ff6c6f90000 0x7ff6c708ffff Pagefile Backed Memory Readable True False False
pagefile_0x00007ff6c7090000 0x7ff6c7090000 0x7ff6c70b2fff Pagefile Backed Memory Readable True False False
private_0x00007ff6c70b6000 0x7ff6c70b6000 0x7ff6c70b6fff Private Memory Readable, Writable True False False
private_0x00007ff6c70bc000 0x7ff6c70bc000 0x7ff6c70bdfff Private Memory Readable, Writable True False False
private_0x00007ff6c70be000 0x7ff6c70be000 0x7ff6c70bffff Private Memory Readable, Writable True False False
svchost.exe 0x7ff6c7e00000 0x7ff6c7e0cfff Memory Mapped File Readable, Writable, Executable False False False
sspicli.dll 0x7ffb39960000 0x7ffb3998bfff Memory Mapped File Readable, Writable, Executable False False False
kernelbase.dll 0x7ffb3a800000 0x7ffb3a9dcfff Memory Mapped File Readable, Writable, Executable False False False
shlwapi.dll 0x7ffb3a9f0000 0x7ffb3aa40fff Memory Mapped File Readable, Writable, Executable False False False
rpcrt4.dll 0x7ffb3bf80000 0x7ffb3c0a5fff Memory Mapped File Readable, Writable, Executable False False False
imm32.dll 0x7ffb3c290000 0x7ffb3c2c5fff Memory Mapped File Readable, Writable, Executable False False False
advapi32.dll 0x7ffb3c2d0000 0x7ffb3c375fff Memory Mapped File Readable, Writable, Executable False False False
gdi32.dll 0x7ffb3c3e0000 0x7ffb3c564fff Memory Mapped File Readable, Writable, Executable False False False
user32.dll 0x7ffb3c650000 0x7ffb3c79dfff Memory Mapped File Readable, Writable, Executable False False False
sechost.dll 0x7ffb3c950000 0x7ffb3c9aafff Memory Mapped File Readable, Writable, Executable False False False
oleaut32.dll 0x7ffb3c9b0000 0x7ffb3ca6dfff Memory Mapped File Readable, Writable, Executable False False False
combase.dll 0x7ffb3cc70000 0x7ffb3ceebfff Memory Mapped File Readable, Writable, Executable False False False
msvcrt.dll 0x7ffb3cf10000 0x7ffb3cfacfff Memory Mapped File Readable, Writable, Executable False False False
psapi.dll 0x7ffb3cfb0000 0x7ffb3cfb7fff Memory Mapped File Readable, Writable, Executable False False False
msctf.dll 0x7ffb3d020000 0x7ffb3d17bfff Memory Mapped File Readable, Writable, Executable False False False
kernel32.dll 0x7ffb3d260000 0x7ffb3d30cfff Memory Mapped File Readable, Writable, Executable False False False
ntdll.dll 0x7ffb3d310000 0x7ffb3d4d1fff Memory Mapped File Readable, Writable, Executable False False False
Injection Information
+
Injection Type Source Process Source Os Thread ID Injection Info Success Count Logfile
Modify Memory #7: c:\users\ciihmn~1\appdata\roaming\micros~1\amsisigd\chakmcat.exe 0xd60 address = 0x260000, size = 598016 True 1
Fn
Modify Memory #7: c:\users\ciihmn~1\appdata\roaming\micros~1\amsisigd\chakmcat.exe 0xd60 address = 0x300000, size = 792 True 1
Fn
Data
Modify Control Flow #7: c:\users\ciihmn~1\appdata\roaming\micros~1\amsisigd\chakmcat.exe 0xd60 os_tid = 0xd88, address = 0xc70b6000 True 1
Fn
Host Behavior
File (6)
+
Operation Filename Additional Information Success Count Logfile
Create C:\Windows\SYSTEM32\ntdll.dll desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 3
Fn
Read C:\Windows\SYSTEM32\ntdll.dll size = 4, size_out = 4 True 3
Fn
Data
Registry (7)
+
Operation Key Additional Information Success Count Logfile
Create Key HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\07430283-BA24-D1EC-FC2B-8E95F08FA299 - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\07430283-BA24-D1EC-FC2B-8E95F08FA299 - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\07430283-BA24-D1EC-FC2B-8E95F08FA299 - True 1
Fn
Read Value HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\07430283-BA24-D1EC-FC2B-8E95F08FA299 value_name = Ini, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\07430283-BA24-D1EC-FC2B-8E95F08FA299 value_name = Client, data = 76, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\07430283-BA24-D1EC-FC2B-8E95F08FA299 value_name = Scr, type = REG_NONE False 1
Fn
Write Value HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\07430283-BA24-D1EC-FC2B-8E95F08FA299 value_name = Client, size = 40, type = REG_BINARY True 1
Fn
Data
Process (22)
+
Operation Process Additional Information Success Count Logfile
Get Info c:\windows\system32\svchost.exe type = PROCESS_BASIC_INFORMATION True 20
Fn
Open c:\windows\explorer.exe desired_access = PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\windows\explorer.exe desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_SET_SESSIONID, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_DUP_HANDLE, PROCESS_CREATE_PROCESS, PROCESS_SET_QUOTA, PROCESS_SET_INFORMATION, PROCESS_QUERY_INFORMATION, PROCESS_SUSPEND_RESUME, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE True 1
Fn
Thread (7)
+
Operation Process Additional Information Success Count Logfile
Create c:\windows\explorer.exe proc_address = 0x7ffb3d319fa0, proc_parameter = 0, flags = THREAD_CREATE_SUSPENDED True 1
Fn
Suspend c:\windows\explorer.exe os_tid = 0xcb0 True 1
Fn
Get Context c:\windows\explorer.exe os_tid = 0xcb0 True 2
Fn
Set Context c:\windows\explorer.exe os_tid = 0xcb0 True 1
Fn
Resume c:\windows\explorer.exe os_tid = 0xcb0 True 2
Fn
Memory (9)
+
Operation Process Additional Information Success Count Logfile
Allocate c:\windows\explorer.exe address = 0x6c8b31eb80, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 466191772552 True 1
Fn
Protect c:\windows\explorer.exe address = 0x7ffb3d319fa0, protection = PAGE_EXECUTE_READWRITE, size = 4 True 2
Fn
Protect c:\windows\explorer.exe address = 0x7ffb3d319fa0, protection = PAGE_EXECUTE_READ, size = 4 True 2
Fn
Read c:\windows\explorer.exe address = 0x7ffb3d319fa0, size = 4 True 1
Fn
Data
Write c:\windows\explorer.exe address = 0x7ffb3d319fa0, size = 4 True 2
Fn
Data
Write c:\windows\explorer.exe address = 0x900000, size = 792 True 1
Fn
Data
Module (203)
+
Operation Module Additional Information Success Count Logfile
Load ntdll.dll base_address = 0x0 True 1
Fn
Load KERNEL32.dll base_address = 0x0 True 1
Fn
Load OLEAUT32.dll base_address = 0x0 True 1
Fn
Load ADVAPI32.dll base_address = 0x7ffb3c2d0000 True 1
Fn
Load SHLWAPI.dll base_address = 0x7ffb3a9f0000 True 1
Fn
Load USER32.dll base_address = 0x7ffb3c650000 True 1
Fn
Load PSAPI.DLL base_address = 0x7ffb3cfb0000 True 1
Fn
Get Handle c:\windows\system32\kernel32.dll base_address = 0x7ffb3d260000 True 6
Fn
Get Handle c:\windows\system32\ntdll.dll base_address = 0x7ffb3d310000 True 3
Fn
Get Handle c:\windows\system32\kernelbase.dll base_address = 0x7ffb3a800000 True 1
Fn
Get Handle c:\windows\system32\advapi32.dll base_address = 0x7ffb3c2d0000 True 2
Fn
Get Filename OLEAUT32.dll process_name = c:\windows\system32\svchost.exe, file_name_orig = C:\Windows\system32\svchost.exe, size = 260 True 1
Fn
Get Filename c:\windows\system32\ntdll.dll process_name = c:\windows\system32\svchost.exe, file_name_orig = C:\Windows\SYSTEM32\ntdll.dll, size = 260 True 3
Fn
Get Address - function = _snprintf, ordinal = 0, address_out = 0x6c8b31fa10 True 1
Fn
Get Address - function = sprintf, ordinal = 0, address_out = 0x6c8b31fa10 True 1
Fn
Get Address - function = ZwOpenProcess, ordinal = 0, address_out = 0x6c8b31fa10 True 1
Fn
Get Address - function = ZwOpenProcessToken, ordinal = 0, address_out = 0x6c8b31fa10 True 1
Fn
Get Address - function = ZwClose, ordinal = 0, address_out = 0x6c8b31fa10 True 1
Fn
Get Address - function = ZwQueryInformationToken, ordinal = 0, address_out = 0x6c8b31fa10 True 1
Fn
Get Address - function = strcpy, ordinal = 0, address_out = 0x6c8b31fa10 True 1
Fn
Get Address - function = NtQuerySystemInformation, ordinal = 0, address_out = 0x6c8b31fa10 True 1
Fn
Get Address - function = RtlNtStatusToDosError, ordinal = 0, address_out = 0x6c8b31fa10 True 1
Fn
Get Address - function = ZwQueryInformationProcess, ordinal = 0, address_out = 0x6c8b31fa10 True 1
Fn
Get Address - function = memcpy, ordinal = 0, address_out = 0x6c8b31fa10 True 1
Fn
Get Address - function = NtUnmapViewOfSection, ordinal = 0, address_out = 0x6c8b31fa10 True 1
Fn
Get Address - function = _wcsupr, ordinal = 0, address_out = 0x6c8b31fa10 True 1
Fn
Get Address - function = _strupr, ordinal = 0, address_out = 0x6c8b31fa10 True 1
Fn
Get Address - function = memmove, ordinal = 0, address_out = 0x6c8b31fa10 True 1
Fn
Get Address - function = memset, ordinal = 0, address_out = 0x6c8b31fa10 True 1
Fn
Get Address - function = wcscpy, ordinal = 0, address_out = 0x6c8b31fa10 True 1
Fn
Get Address - function = ZwQueryKey, ordinal = 0, address_out = 0x6c8b31fa10 True 1
Fn
Get Address - function = RtlUpcaseUnicodeString, ordinal = 0, address_out = 0x6c8b31fa10 True 1
Fn
Get Address - function = RtlFreeUnicodeString, ordinal = 0, address_out = 0x6c8b31fa10 True 1
Fn
Get Address - function = wcstombs, ordinal = 0, address_out = 0x6c8b31fa10 True 1
Fn
Get Address - function = RtlAdjustPrivilege, ordinal = 0, address_out = 0x6c8b31fa10 True 1
Fn
Get Address - function = mbstowcs, ordinal = 0, address_out = 0x6c8b31fa10 True 1
Fn
Get Address - function = RtlImageNtHeader, ordinal = 0, address_out = 0x6c8b31fa10 True 1
Fn
Get Address - function = NtMapViewOfSection, ordinal = 0, address_out = 0x6c8b31fa10 True 1
Fn
Get Address - function = NtCreateSection, ordinal = 0, address_out = 0x6c8b31fa10 True 1
Fn
Get Address - function = __C_specific_handler, ordinal = 0, address_out = 0x6c8b31fa10 True 1
Fn
Get Address - function = __chkstk, ordinal = 0, address_out = 0x6c8b31fa10 True 1
Fn
Get Address - function = CreateFileMappingA, ordinal = 0, address_out = 0x6c8b31fa10 True 1
Fn
Get Address - function = SetFilePointerEx, ordinal = 0, address_out = 0x6c8b31fa10 True 1
Fn
Get Address - function = QueueUserWorkItem, ordinal = 0, address_out = 0x6c8b31fa10 True 1
Fn
Get Address - function = VirtualProtectEx, ordinal = 0, address_out = 0x6c8b31fa10 True 1
Fn
Get Address - function = GetComputerNameW, ordinal = 0, address_out = 0x6c8b31fa10 True 1
Fn
Get Address - function = ExpandEnvironmentStringsA, ordinal = 0, address_out = 0x6c8b31fa10 True 1
Fn
Get Address - function = FindNextFileA, ordinal = 0, address_out = 0x6c8b31fa10 True 1
Fn
Get Address - function = CompareFileTime, ordinal = 0, address_out = 0x6c8b31fa10 True 1
Fn
Get Address - function = FindFirstFileA, ordinal = 0, address_out = 0x6c8b31fa10 True 1
Fn
Get Address - function = GetFileTime, ordinal = 0, address_out = 0x6c8b31fa10 True 1
Fn
Get Address - function = GetCurrentProcessId, ordinal = 0, address_out = 0x6c8b31fa10 True 1
Fn
Get Address - function = QueryPerformanceCounter, ordinal = 0, address_out = 0x6c8b31fa10 True 1
Fn
Get Address - function = GetModuleFileNameA, ordinal = 0, address_out = 0x6c8b31fa10 True 1
Fn
Get Address - function = CreateDirectoryA, ordinal = 0, address_out = 0x6c8b31fa10 True 1
Fn
Get Address - function = GetLastError, ordinal = 0, address_out = 0x6c8b31fa10 True 1
Fn
Get Address - function = HeapFree, ordinal = 0, address_out = 0x6c8b31fa10 True 1
Fn
Get Address - function = RemoveDirectoryA, ordinal = 0, address_out = 0x6c8b31fa10 True 1
Fn
Get Address - function = CloseHandle, ordinal = 0, address_out = 0x6c8b31fa10 True 1
Fn
Get Address - function = LoadLibraryA, ordinal = 0, address_out = 0x6c8b31fa10 True 1
Fn
Get Address - function = CreateFileA, ordinal = 0, address_out = 0x6c8b31fa10 True 1
Fn
Get Address - function = DeleteFileA, ordinal = 0, address_out = 0x6c8b31fa10 True 1
Fn
Get Address - function = lstrcpyA, ordinal = 0, address_out = 0x6c8b31fa10 True 1
Fn
Get Address - function = lstrlenA, ordinal = 0, address_out = 0x6c8b31fa10 True 1
Fn
Get Address - function = lstrcatA, ordinal = 0, address_out = 0x6c8b31fa10 True 1
Fn
Get Address - function = WriteFile, ordinal = 0, address_out = 0x6c8b31fa10 True 1
Fn
Get Address - function = HeapAlloc, ordinal = 0, address_out = 0x6c8b31fa10 True 1
Fn
Get Address - function = HeapDestroy, ordinal = 0, address_out = 0x6c8b31fa10 True 1
Fn
Get Address - function = HeapCreate, ordinal = 0, address_out = 0x6c8b31fa10 True 1
Fn
Get Address - function = SetEvent, ordinal = 0, address_out = 0x6c8b31fa10 True 1
Fn
Get Address - function = HeapReAlloc, ordinal = 0, address_out = 0x6c8b31fa10 True 1
Fn
Get Address - function = GetSystemTimeAsFileTime, ordinal = 0, address_out = 0x6c8b31fa10 True 1
Fn
Get Address - function = WaitForSingleObject, ordinal = 0, address_out = 0x6c8b31fa10 True 1
Fn
Get Address - function = SuspendThread, ordinal = 0, address_out = 0x6c8b31fa10 True 1
Fn
Get Address - function = OpenProcess, ordinal = 0, address_out = 0x6c8b31fa10 True 1
Fn
Get Address - function = ResumeThread, ordinal = 0, address_out = 0x6c8b31fa10 True 1
Fn
Get Address - function = lstrcpyW, ordinal = 0, address_out = 0x6c8b31fa10 True 1
Fn
Get Address - function = lstrcmpiW, ordinal = 0, address_out = 0x6c8b31fa10 True 1
Fn
Get Address - function = GetModuleHandleA, ordinal = 0, address_out = 0x6c8b31fa10 True 1
Fn
Get Address - function = CreateThread, ordinal = 0, address_out = 0x6c8b31fa10 True 1
Fn
Get Address - function = CreateFileW, ordinal = 0, address_out = 0x6c8b31fa10 True 1
Fn
Get Address - function = SwitchToThread, ordinal = 0, address_out = 0x6c8b31fa10 True 1
Fn
Get Address - function = lstrcatW, ordinal = 0, address_out = 0x6c8b31fa10 True 1
Fn
Get Address - function = Sleep, ordinal = 0, address_out = 0x6c8b31fa10 True 1
Fn
Get Address - function = GetTickCount, ordinal = 0, address_out = 0x6c8b31fa10 True 1
Fn
Get Address - function = SetWaitableTimer, ordinal = 0, address_out = 0x6c8b31fa10 True 1
Fn
Get Address - function = CopyFileW, ordinal = 0, address_out = 0x6c8b31fa10 True 1
Fn
Get Address - function = GetCurrentThreadId, ordinal = 0, address_out = 0x6c8b31fa10 True 1
Fn
Get Address - function = GetCurrentThread, ordinal = 0, address_out = 0x6c8b31fa10 True 1
Fn
Get Address - function = DuplicateHandle, ordinal = 0, address_out = 0x6c8b31fa10 True 1
Fn
Get Address - function = lstrlenW, ordinal = 0, address_out = 0x6c8b31fa10 True 1
Fn
Get Address - function = CreateEventA, ordinal = 0, address_out = 0x6c8b31fa10 True 1
Fn
Get Address - function = GetWindowsDirectoryA, ordinal = 0, address_out = 0x6c8b31fa10 True 1
Fn
Get Address - function = DeleteFileW, ordinal = 0, address_out = 0x6c8b31fa10 True 1
Fn
Get Address - function = CreateDirectoryW, ordinal = 0, address_out = 0x6c8b31fa10 True 1
Fn
Get Address - function = GetTempPathA, ordinal = 0, address_out = 0x6c8b31fa10 True 1
Fn
Get Address - function = lstrcmpiA, ordinal = 0, address_out = 0x6c8b31fa10 True 1
Fn
Get Address - function = WaitForMultipleObjects, ordinal = 0, address_out = 0x6c8b31fa10 True 1
Fn
Get Address - function = lstrcmpA, ordinal = 0, address_out = 0x6c8b31fa10 True 1
Fn
Get Address - function = ResetEvent, ordinal = 0, address_out = 0x6c8b31fa10 True 1
Fn
Get Address - function = CreateMutexA, ordinal = 0, address_out = 0x6c8b31fa10 True 1
Fn
Get Address - function = OpenWaitableTimerA, ordinal = 0, address_out = 0x6c8b31fa10 True 1
Fn
Get Address - function = MapViewOfFile, ordinal = 0, address_out = 0x6c8b31fa10 True 1
Fn
Get Address - function = OpenMutexA, ordinal = 0, address_out = 0x6c8b31fa10 True 1
Fn
Get Address - function = UnmapViewOfFile, ordinal = 0, address_out = 0x6c8b31fa10 True 1
Fn
Get Address - function = ReleaseMutex, ordinal = 0, address_out = 0x6c8b31fa10 True 1
Fn
Get Address - function = GetVersionExA, ordinal = 0, address_out = 0x6c8b31fa10 True 1
Fn
Get Address - function = CreateWaitableTimerA, ordinal = 0, address_out = 0x6c8b31fa10 True 1
Fn
Get Address - function = SetLastError, ordinal = 0, address_out = 0x6c8b31fa10 True 1
Fn
Get Address - function = InitializeCriticalSection, ordinal = 0, address_out = 0x6c8b31fa10 True 1
Fn
Get Address - function = EnterCriticalSection, ordinal = 0, address_out = 0x6c8b31fa10 True 1
Fn
Get Address - function = LeaveCriticalSection, ordinal = 0, address_out = 0x6c8b31fa10 True 1
Fn
Get Address - function = VirtualAlloc, ordinal = 0, address_out = 0x6c8b31fa10 True 1
Fn
Get Address - function = UnregisterWait, ordinal = 0, address_out = 0x6c8b31fa10 True 1
Fn
Get Address - function = VirtualProtect, ordinal = 0, address_out = 0x6c8b31fa10 True 1
Fn
Get Address - function = RegisterWaitForSingleObject, ordinal = 0, address_out = 0x6c8b31fa10 True 1
Fn
Get Address - function = TlsAlloc, ordinal = 0, address_out = 0x6c8b31fa10 True 1
Fn
Get Address - function = TlsGetValue, ordinal = 0, address_out = 0x6c8b31fa10 True 1
Fn
Get Address - function = LoadLibraryExW, ordinal = 0, address_out = 0x6c8b31fa10 True 1
Fn
Get Address - function = TlsSetValue, ordinal = 0, address_out = 0x6c8b31fa10 True 1
Fn
Get Address - function = GetProcAddress, ordinal = 0, address_out = 0x6c8b31fa10 True 1
Fn
Get Address - function = GetDriveTypeW, ordinal = 0, address_out = 0x6c8b31fa10 True 1
Fn
Get Address - function = WideCharToMultiByte, ordinal = 0, address_out = 0x6c8b31fa10 True 1
Fn
Get Address - function = GetLogicalDriveStringsW, ordinal = 0, address_out = 0x6c8b31fa10 True 1
Fn
Get Address - function = OpenFileMappingA, ordinal = 0, address_out = 0x6c8b31fa10 True 1
Fn
Get Address - function = GetExitCodeProcess, ordinal = 0, address_out = 0x6c8b31fa10 True 1
Fn
Get Address - function = LocalFree, ordinal = 0, address_out = 0x6c8b31fa10 True 1
Fn
Get Address - function = CreateProcessA, ordinal = 0, address_out = 0x6c8b31fa10 True 1
Fn
Get Address - function = GetFileSize, ordinal = 0, address_out = 0x6c8b31fa10 True 1
Fn
Get Address - function = lstrcpynA, ordinal = 0, address_out = 0x6c8b31fa10 True 1
Fn
Get Address - function = Thread32First, ordinal = 0, address_out = 0x6c8b31fa10 True 1
Fn
Get Address - function = CreateToolhelp32Snapshot, ordinal = 0, address_out = 0x6c8b31fa10 True 1
Fn
Get Address - function = QueueUserAPC, ordinal = 0, address_out = 0x6c8b31fa10 True 1
Fn
Get Address - function = OpenThread, ordinal = 0, address_out = 0x6c8b31fa10 True 1
Fn
Get Address - function = Thread32Next, ordinal = 0, address_out = 0x6c8b31fa10 True 1
Fn
Get Address - function = ConnectNamedPipe, ordinal = 0, address_out = 0x6c8b31fa10 True 1
Fn
Get Address - function = GetOverlappedResult, ordinal = 0, address_out = 0x6c8b31fa10 True 1
Fn
Get Address - function = CancelIo, ordinal = 0, address_out = 0x6c8b31fa10 True 1
Fn
Get Address - function = DisconnectNamedPipe, ordinal = 0, address_out = 0x6c8b31fa10 True 1
Fn
Get Address - function = FlushFileBuffers, ordinal = 0, address_out = 0x6c8b31fa10 True 1
Fn
Get Address - function = CallNamedPipeA, ordinal = 0, address_out = 0x6c8b31fa10 True 1
Fn
Get Address - function = CreateNamedPipeA, ordinal = 0, address_out = 0x6c8b31fa10 True 1
Fn
Get Address - function = GetSystemTime, ordinal = 0, address_out = 0x6c8b31fa10 True 1
Fn
Get Address - function = WaitNamedPipeA, ordinal = 0, address_out = 0x6c8b31fa10 True 1
Fn
Get Address - function = ReadFile, ordinal = 0, address_out = 0x6c8b31fa10 True 1
Fn
Get Address - function = SleepEx, ordinal = 0, address_out = 0x6c8b31fa10 True 1
Fn
Get Address - function = AddVectoredExceptionHandler, ordinal = 0, address_out = 0x6c8b31fa10 True 1
Fn
Get Address - function = RemoveVectoredExceptionHandler, ordinal = 0, address_out = 0x6c8b31fa10 True 1
Fn
Get Address - function = OpenEventA, ordinal = 0, address_out = 0x6c8b31fa10 True 1
Fn
Get Address - function = LocalAlloc, ordinal = 0, address_out = 0x6c8b31fa10 True 1
Fn
Get Address - function = FreeLibrary, ordinal = 0, address_out = 0x6c8b31fa10 True 1
Fn
Get Address - function = RaiseException, ordinal = 0, address_out = 0x6c8b31fa10 True 1
Fn
Get Address - function = VirtualFree, ordinal = 0, address_out = 0x6c8b31fa10 True 1
Fn
Get Address - function = GetModuleFileNameW, ordinal = 0, address_out = 0x6c8b31fa10 True 1
Fn
Get Address - function = GetVersion, ordinal = 0, address_out = 0x6c8b31fa10 True 1
Fn
Get Address - function = GetLocalTime, ordinal = 0, address_out = 0x6c8b31fa10 True 1
Fn
Get Address - function = QueryPerformanceFrequency, ordinal = 0, address_out = 0x6c8b31fa10 True 1
Fn
Get Address - function = DeleteCriticalSection, ordinal = 0, address_out = 0x6c8b31fa10 True 1
Fn
Get Address - function = GetTempFileNameA, ordinal = 0, address_out = 0x6c8b31fa10 True 1
Fn
Get Address - function = FindNextFileW, ordinal = 0, address_out = 0x6c8b31fa10 True 1
Fn
Get Address - function = SetEndOfFile, ordinal = 0, address_out = 0x6c8b31fa10 True 1
Fn
Get Address - function = SetFilePointer, ordinal = 0, address_out = 0x6c8b31fa10 True 1
Fn
Get Address - function = FindFirstFileW, ordinal = 0, address_out = 0x6c8b31fa10 True 1
Fn
Get Address - function = RemoveDirectoryW, ordinal = 0, address_out = 0x6c8b31fa10 True 1
Fn
Get Address - function = GetFileAttributesW, ordinal = 0, address_out = 0x6c8b31fa10 True 1
Fn
Get Address - function = ExpandEnvironmentStringsW, ordinal = 0, address_out = 0x6c8b31fa10 True 1
Fn
Get Address - function = FindClose, ordinal = 0, address_out = 0x6c8b31fa10 True 1
Fn
Get Address - function = 0, ordinal = 9, address_out = 0x6c8b31fa10 True 1
Fn
Get Address - function = 0, ordinal = 6, address_out = 0x6c8b31fa10 True 1
Fn
Get Address - function = 0, ordinal = 2, address_out = 0x6c8b31fa10 True 1
Fn
Get Address - function = 0, ordinal = 8, address_out = 0x6c8b31fa10 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = IsWow64Process, address_out = 0x7ffb3d27e960 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = ConvertStringSecurityDescriptorToSecurityDescriptorA, address_out = 0x7ffb3c2ed610 True 1
Fn
Get Address c:\windows\system32\shlwapi.dll function = StrRChrA, address_out = 0x7ffb3aa04dd0 True 1
Fn
Get Address c:\windows\system32\user32.dll function = wsprintfA, address_out = 0x7ffb3c672610 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = GetUserNameA, address_out = 0x7ffb3c2fec40 True 1
Fn
Get Address c:\windows\system32\psapi.dll function = EnumProcessModules, address_out = 0x7ffb3cfb1040 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegOpenKeyA, address_out = 0x7ffb3c2eb9e0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegQueryValueExA, address_out = 0x7ffb3c2e7dd0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegCloseKey, address_out = 0x7ffb3c2e72e0 True 1
Fn
Get Address c:\windows\system32\shlwapi.dll function = StrToIntExA, address_out = 0x7ffb3aa04e70 True 1
Fn
Get Address c:\windows\system32\shlwapi.dll function = StrChrA, address_out = 0x7ffb3aa04cc0 True 1
Fn
Get Address c:\windows\system32\shlwapi.dll function = StrTrimA, address_out = 0x7ffb3aa04e80 True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetShellWindow, address_out = 0x7ffb3c674060 True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetWindowThreadProcessId, address_out = 0x7ffb3c664040 True 1
Fn
Get Address c:\windows\system32\ntdll.dll function = RtlExitUserThread, address_out = 0x7ffb3d319fa0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateRemoteThread, address_out = 0x7ffb3d2a26d0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegCreateKeyA, address_out = 0x7ffb3c316dc0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = GetUserNameW, address_out = 0x7ffb3c2eda40 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegSetValueExA, address_out = 0x7ffb3c2d2680 True 1
Fn
Create Mapping - protection = PAGE_EXECUTE_READWRITE, maximum_size = 466191773984 True 1
Fn
Map - process_name = c:\windows\system32\svchost.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x6c8b650000 True 1
Fn
Map - process_name = c:\windows\explorer.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0xeda0000 True 1
Fn
System (6)
+
Operation Additional Information Success Count Logfile
Get Computer Name - False 1
Fn
Get Computer Name result_out = LHNIWSJ True 1
Fn
Get Time type = System Time, time = 2017-12-11 16:43:38 (UTC) True 2
Fn
Get Info type = Operating System True 2
Fn
Mutex (1)
+
Operation Additional Information Success Count Logfile
Create mutex_name = {BB8A49DA-DE80-A5F2-C01F-F2A9F4C346ED} True 1
Fn
Process #9: explorer.exe
(Host: 1632, Network: 895)
+
Information Value
ID #9
File Name c:\windows\explorer.exe
Command Line C:\Windows\Explorer.EXE
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:01:02, Reason: Injection
Unmonitor End Time: 00:02:20, Reason: Terminated by Timeout
Monitor Duration 00:01:18
OS Process Information
+
Information Value
PID 0x728
Parent PID 0xffffffffffffffff (Unknown)
Is Created or Modified Executable False
Integrity Level Medium
Username LHNIWSJ\CIiHmnxMn6Ps
Groups
  • LHNIWSJ\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Local account and member of Administrators group (USE_FOR_DENY_ONLY)
  • BUILTIN\Administrators (USE_FOR_DENY_ONLY)
  • BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Local account (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Logon Session 00000000:00013d92 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID)
  • LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x D74
0x F88
0x 47C
0x 7F4
0x 7D4
0x AD8
0x B90
0x B88
0x B84
0x B80
0x B7C
0x B78
0x B74
0x B60
0x B5C
0x A80
0x A7C
0x A58
0x A38
0x A20
0x A1C
0x A18
0x A14
0x A10
0x A0C
0x A08
0x A04
0x 9FC
0x 9F8
0x 9D0
0x 9B0
0x 940
0x 92C
0x 918
0x 8F4
0x 8E4
0x 8E0
0x 8D8
0x 8D0
0x 8CC
0x 8C8
0x 8A0
0x 894
0x 88C
0x 878
0x 86C
0x 868
0x 864
0x 858
0x 854
0x 850
0x 84C
0x 848
0x 844
0x 840
0x 83C
0x 838
0x 834
0x 82C
0x 828
0x 824
0x 820
0x 81C
0x 808
0x 804
0x 6FC
0x 724
0x CB0
0x DEC
0x DE4
0x E40
0x E1C
0x DFC
0x E60
0x 258
0x 818
0x 274
0x 438
0x 664
0x ECC
0x EE8
0x F94
0x D3C
0x F5C
Region
+
Name Start VA End VA Type Permissions Monitored Dump YARA Match Actions
pagefile_0x0000000000750000 0x00750000 0x0075ffff Pagefile Backed Memory Readable, Writable True False False
private_0x0000000000760000 0x00760000 0x00766fff Private Memory Readable, Writable True False False
pagefile_0x0000000000770000 0x00770000 0x00783fff Pagefile Backed Memory Readable True False False
private_0x0000000000790000 0x00790000 0x0080ffff Private Memory Readable, Writable True False False
pagefile_0x0000000000810000 0x00810000 0x00813fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000820000 0x00820000 0x00822fff Pagefile Backed Memory Readable True False False
private_0x0000000000830000 0x00830000 0x00831fff Private Memory Readable, Writable True False False
locale.nls 0x00840000 0x008fdfff Memory Mapped File Readable False False False
pagefile_0x0000000000910000 0x00910000 0x00911fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000920000 0x00920000 0x00922fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000930000 0x00930000 0x00931fff Pagefile Backed Memory Readable True False False
wscui.cpl.mui 0x00940000 0x00951fff Memory Mapped File Readable False False False
private_0x0000000000980000 0x00980000 0x00986fff Private Memory Readable, Writable True False False
explorer.exe.mui 0x00990000 0x00997fff Memory Mapped File Readable False False False
private_0x00000000009a0000 0x009a0000 0x00a9ffff Private Memory Readable, Writable True False False
pagefile_0x0000000000aa0000 0x00aa0000 0x00c27fff Pagefile Backed Memory Readable True False False
private_0x0000000000c30000 0x00c30000 0x00c30fff Private Memory Readable, Writable True False False
private_0x0000000000c40000 0x00c40000 0x00c40fff Private Memory Readable, Writable True False False
pagefile_0x0000000000c50000 0x00c50000 0x00c50fff Pagefile Backed Memory Readable, Writable True False False
pagefile_0x0000000000c60000 0x00c60000 0x00c60fff Pagefile Backed Memory Readable, Writable True False False
pagefile_0x0000000000c70000 0x00c70000 0x00c70fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000c80000 0x00c80000 0x00c80fff Pagefile Backed Memory Readable True False False
private_0x0000000000c90000 0x00c90000 0x00c9ffff Private Memory Readable, Writable True False False
pagefile_0x0000000000ca0000 0x00ca0000 0x00e20fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000e30000 0x00e30000 0x0222ffff Pagefile Backed Memory Readable True False False
cversions.1.db 0x02230000 0x02233fff Memory Mapped File Readable True False False
{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000012.db 0x02240000 0x02261fff Memory Mapped File Readable True False False
pagefile_0x0000000002270000 0x02270000 0x02270fff Pagefile Backed Memory Readable, Writable True False False
private_0x0000000002280000 0x02280000 0x022fffff Private Memory Readable, Writable True False False
{3da71d5a-20cc-432f-a115-dfe92379e91f}.1.ver0x0000000000000030.db 0x02300000 0x0231bfff Memory Mapped File Readable True False False
pagefile_0x0000000002320000 0x02320000 0x02322fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000002330000 0x02330000 0x02332fff Pagefile Backed Memory Readable True False False
private_0x0000000002340000 0x02340000 0x0234ffff Private Memory Readable, Writable True False False
sortdefault.nls 0x02350000 0x02686fff Memory Mapped File Readable False False False
private_0x0000000002690000 0x02690000 0x0270ffff Private Memory Readable, Writable True False False
private_0x0000000002710000 0x02710000 0x0278ffff Private Memory Readable, Writable True False False
private_0x0000000002790000 0x02790000 0x0280ffff Private Memory Readable, Writable True False False
shell32.dll.mui 0x02810000 0x02870fff Memory Mapped File Readable False False False
pagefile_0x0000000002880000 0x02880000 0x028a9fff Pagefile Backed Memory Readable, Writable True False False
kernelbase.dll.mui 0x028b0000 0x0298efff Memory Mapped File Readable False False False
thumbcache_idx.db 0x02990000 0x02991fff Memory Mapped File Readable, Writable True False False
pagefile_0x00000000029a0000 0x029a0000 0x029a1fff Pagefile Backed Memory Readable True False False
hcproviders.dll.mui 0x029b0000 0x029b1fff Memory Mapped File Readable False False False
actioncenter.dll.mui 0x029c0000 0x029cafff Memory Mapped File Readable False False False
thumbcache_idx.db 0x029d0000 0x029d1fff Memory Mapped File Readable, Writable True False False
iconcache_idx.db 0x029e0000 0x029e1fff Memory Mapped File Readable, Writable True False False
thumbcache_idx.db 0x029f0000 0x029f1fff Memory Mapped File Readable, Writable True False False
iconcache_idx.db 0x02a00000 0x02a01fff Memory Mapped File Readable, Writable True False False
private_0x0000000002a10000 0x02a10000 0x02a8ffff Private Memory Readable, Writable True False False
private_0x0000000002a90000 0x02a90000 0x02b0ffff Private Memory Readable, Writable True False False
pagefile_0x0000000002b10000 0x02b10000 0x02b11fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000002b20000 0x02b20000 0x02b21fff Pagefile Backed Memory Readable True False False
oleaccrc.dll 0x02b30000 0x02b31fff Memory Mapped File Readable False False False
oleaccrc.dll.mui 0x02b40000 0x02b44fff Memory Mapped File Readable False False False
pagefile_0x0000000002b50000 0x02b50000 0x02c07fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000002c10000 0x02c10000 0x02c13fff Pagefile Backed Memory Readable True False False
private_0x0000000002c20000 0x02c20000 0x02d1ffff Private Memory Readable, Writable True False False
private_0x0000000002d20000 0x02d20000 0x02e1ffff Private Memory Readable, Writable True False False
private_0x0000000002e20000 0x02e20000 0x02e26fff Private Memory Readable, Writable True False False
pagefile_0x0000000002e30000 0x02e30000 0x02e32fff Pagefile Backed Memory Readable True False False
staticcache.dat 0x02e40000 0x03e7ffff Memory Mapped File Readable False False False
private_0x0000000003e80000 0x03e80000 0x03e80fff Private Memory Readable, Writable True False False
private_0x0000000003e90000 0x03e90000 0x03e90fff Private Memory Readable, Writable True False False
private_0x0000000003ea0000 0x03ea0000 0x03ea0fff Private Memory Readable, Writable True False False
pagefile_0x0000000003eb0000 0x03eb0000 0x03eb2fff Pagefile Backed Memory Readable True False False
private_0x0000000003ec0000 0x03ec0000 0x03f3ffff Private Memory Readable, Writable True False False
private_0x0000000003f40000 0x03f40000 0x03f41fff Private Memory Readable, Writable True False False
private_0x0000000003f50000 0x03f50000 0x03f50fff Private Memory Readable, Writable True False False
private_0x0000000003f60000 0x03f60000 0x03f60fff Private Memory Readable, Writable True False False
private_0x0000000003f70000 0x03f70000 0x03f70fff Private Memory Readable, Writable True False False
private_0x0000000003f80000 0x03f80000 0x03f80fff Private Memory Readable, Writable True False False
pagefile_0x0000000003f90000 0x03f90000 0x03f9ffff Pagefile Backed Memory Readable, Writable True False False
pagefile_0x0000000003fa0000 0x03fa0000 0x03faffff Pagefile Backed Memory Readable, Writable True False False
pagefile_0x0000000003fb0000 0x03fb0000 0x03fbffff Pagefile Backed Memory Readable, Writable True False False
private_0x0000000003fc0000 0x03fc0000 0x03fc0fff Private Memory Readable, Writable True False False
private_0x0000000003fd0000 0x03fd0000 0x03fd0fff Private Memory Readable, Writable True False False
cversions.1.db 0x03fe0000 0x03fe3fff Memory Mapped File Readable True False False
private_0x0000000003ff0000 0x03ff0000 0x03ff0fff Private Memory Readable, Writable True False False
pagefile_0x0000000004000000 0x04000000 0x04000fff Pagefile Backed Memory Readable, Writable True False False
private_0x0000000004010000 0x04010000 0x04010fff Private Memory Readable, Writable True False False
pagefile_0x0000000004020000 0x04020000 0x04022fff Pagefile Backed Memory Readable True False False
private_0x0000000004030000 0x04030000 0x04030fff Private Memory Readable, Writable True False False
cversions.2.db 0x04040000 0x04043fff Memory Mapped File Readable True False False
private_0x0000000004050000 0x04050000 0x040cffff Private Memory Readable, Writable True False False
pagefile_0x00000000040d0000 0x040d0000 0x04108fff Pagefile Backed Memory Readable, Writable True False False
private_0x0000000004110000 0x04110000 0x04110fff Private Memory Readable, Writable True False False
pagefile_0x0000000004120000 0x04120000 0x04122fff Pagefile Backed Memory Readable True False False
stobject.dll.mui 0x04130000 0x04131fff Memory Mapped File Readable False False False
pagefile_0x0000000004140000 0x04140000 0x04142fff Pagefile Backed Memory Readable True False False
inputswitch.dll.mui 0x04150000 0x04151fff Memory Mapped File Readable False False False
private_0x0000000004160000 0x04160000 0x04160fff Private Memory Readable, Writable True False False
pagefile_0x0000000004170000 0x04170000 0x04172fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000004180000 0x04180000 0x04181fff Pagefile Backed Memory Readable True False False
private_0x0000000004190000 0x04190000 0x0420ffff Private Memory Readable, Writable True False False
private_0x0000000004210000 0x04210000 0x0428ffff Private Memory Readable, Writable True False False
pagefile_0x0000000004290000 0x04290000 0x04292fff Pagefile Backed Memory Readable True False False
cversions.2.db 0x042a0000 0x042a3fff Memory Mapped File Readable True False False
{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000007.db 0x042b0000 0x042f2fff Memory Mapped File Readable True False False
private_0x0000000004300000 0x04300000 0x0437ffff Private Memory Readable, Writable True False False
private_0x0000000004380000 0x04380000 0x043fffff Private Memory Readable, Writable True False False
private_0x0000000004400000 0x04400000 0x04400fff Private Memory Readable, Writable True False False
private_0x0000000004410000 0x04410000 0x0448ffff Private Memory Readable, Writable True False False
{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db 0x04490000 0x0451afff Memory Mapped File Readable True False False
private_0x0000000004520000 0x04520000 0x0459ffff Private Memory Readable, Writable True False False
private_0x00000000045a0000 0x045a0000 0x045a0fff Private Memory Readable, Writable True False False
propsys.dll.mui 0x045b0000 0x045c0fff Memory Mapped File Readable False False False
private_0x00000000045d0000 0x045d0000 0x0464ffff Private Memory Readable, Writable True False False
private_0x0000000004650000 0x04650000 0x046cffff Private Memory Readable, Writable True False False
private_0x00000000046d0000 0x046d0000 0x0474ffff Private Memory Readable, Writable True False False
private_0x0000000004750000 0x04750000 0x047cffff Private Memory Readable, Writable True False False
private_0x00000000047d0000 0x047d0000 0x0484ffff Private Memory Readable, Writable True False False
private_0x0000000004850000 0x04850000 0x048cffff Private Memory Readable, Writable True False False
private_0x00000000048d0000 0x048d0000 0x050cffff Private Memory - True False False
pagefile_0x00000000050d0000 0x050d0000 0x055c1fff Pagefile Backed Memory Readable, Writable True False False
private_0x00000000055d0000 0x055d0000 0x056cffff Private Memory Readable, Writable True False False
private_0x00000000056d0000 0x056d0000 0x0574ffff Private Memory Readable, Writable True False False
msxml6r.dll 0x05750000 0x05750fff Memory Mapped File Readable False False False
private_0x0000000005760000 0x05760000 0x05766fff Private Memory Readable, Writable True False False
private_0x0000000005770000 0x05770000 0x057effff Private Memory Readable, Writable True False False
winnlsres.dll 0x057f0000 0x057f4fff Memory Mapped File Readable False False False
winnlsres.dll.mui 0x05800000 0x0580ffff Memory Mapped File Readable False False False
pagefile_0x0000000005810000 0x05810000 0x05810fff Pagefile Backed Memory Readable, Writable True False False
private_0x0000000005820000 0x05820000 0x05820fff Private Memory Readable, Writable True False False
private_0x0000000005830000 0x05830000 0x05830fff Private Memory Readable, Writable True False False
mswsock.dll.mui 0x05840000 0x05842fff Memory Mapped File Readable False False False
private_0x0000000005850000 0x05850000 0x0585ffff Private Memory Readable, Writable True False False
private_0x0000000005860000 0x05860000 0x0595ffff Private Memory Readable, Writable True False False
private_0x0000000005960000 0x05960000 0x059dffff Private Memory Readable, Writable True False False
private_0x00000000059e0000 0x059e0000 0x05a5ffff Private Memory Readable, Writable True False False
private_0x0000000005a60000 0x05a60000 0x05adffff Private Memory Readable, Writable True False False
private_0x0000000005ae0000 0x05ae0000 0x05b5ffff Private Memory Readable, Writable True False False
iconcache_256.db 0x05b60000 0x05b60fff Memory Mapped File Readable, Writable True False False
iconcache_idx.db 0x05b70000 0x05b71fff Memory Mapped File Readable, Writable True False False
pagefile_0x0000000005b80000 0x05b80000 0x05b82fff Pagefile Backed Memory Readable True False False
sndvolsso.dll.mui 0x05b90000 0x05b91fff Memory Mapped File Readable False False False
windows.storage.dll.mui 0x05ba0000 0x05ba7fff Memory Mapped File Readable False False False
pagefile_0x0000000005bb0000 0x05bb0000 0x05bb2fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000005bc0000 0x05bc0000 0x05bc0fff Pagefile Backed Memory Readable, Writable True False False
iconcache_256.db 0x05bd0000 0x05bd0fff Memory Mapped File Readable, Writable True False False
pagefile_0x0000000005be0000 0x05be0000 0x05be2fff Pagefile Backed Memory Readable True False False
private_0x0000000005bf0000 0x05bf0000 0x05bf0fff Private Memory Readable, Writable True False False
private_0x0000000005c00000 0x05c00000 0x05c08fff Private Memory Readable, Writable True False False
private_0x0000000005c10000 0x05c10000 0x05c13fff Private Memory Readable, Writable True False False
thumbcache_idx.db 0x05c20000 0x05c21fff Memory Mapped File Readable, Writable True False False
netmsg.dll 0x05c30000 0x05c30fff Memory Mapped File Readable False False False
private_0x0000000005c40000 0x05c40000 0x05c40fff Private Memory Readable, Writable True False False
private_0x0000000005c50000 0x05c50000 0x05c58fff Private Memory Readable, Writable True False False
{3da71d5a-20cc-432f-a115-dfe92379e91f}.1.ver0x0000000000000031.db 0x05c60000 0x05c7afff Memory Mapped File Readable True False False
thumbcache_idx.db 0x05c90000 0x05c91fff Memory Mapped File Readable, Writable True False False
imageres.dll.mui 0x05ca0000 0x05ca0fff Memory Mapped File Readable False False False
For performance reasons, the remaining 872 entries are omitted.
The remaining entries can be found in flog.txt.
Injection Information
+
Injection Type Source Process Source Os Thread ID Injection Info Success Count Logfile
Create Remote Thread #8: c:\windows\system32\svchost.exe 0xd88 address = 0x7ffb3d319fa0 True 1
Fn
Modify Memory #8: c:\windows\system32\svchost.exe 0xd88 address = 0xeda0000, size = 598016 True 1
Fn
Modify Memory #8: c:\windows\system32\svchost.exe 0xd88 address = 0x900000, size = 792 True 1
Fn
Data
Modify Control Flow #8: c:\windows\system32\svchost.exe 0xd88 os_tid = 0xcb0, address = 0x0 True 1
Fn
Modify Memory #8: c:\windows\system32\svchost.exe 0xd88 address = 0x7ffb3d319fa0, size = 4 True 1
Fn
Data
Host Behavior
COM (2)
+
Operation Class Interface Additional Information Success Count Logfile
Create 8D4B04E1-1331-11D0-81B8-00C04FD85AB4 FD465481-1384-11D0-ABBD-0020AFDFD10A cls_context = CLSCTX_INPROC_SERVER, CLSCTX_NO_CODE_DOWNLOAD, CLSCTX_NO_FAILURE_LOG False 1
Fn
Create 7165C8AB-AF88-42BD-86FD-5310B4285A02 AD553D98-DEB1-474A-8E17-FC0C2075B738 cls_context = CLSCTX_INPROC_SERVER, CLSCTX_NO_CODE_DOWNLOAD, CLSCTX_NO_FAILURE_LOG True 1
Fn
File (67)
+
Operation Filename Additional Information Success Count Logfile
Create C:\Windows\system32\c_1252.nls desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 3
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Amsisigd\Chakmcat.exe desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\prefs.js desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\prefs.js desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Windows\SYSTEM32\ntdll.dll desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 3
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\6DB4.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\6DB4.tmp desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\state.tmp desired_access = DELETE, GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, FILE_FLAG_DELETE_ON_CLOSE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\router-stability desired_access = DELETE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, FILE_FLAG_DELETE_ON_CLOSE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE False 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\geoip desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE False 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\A7BD.bi1 desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\cached-certs desired_access = DELETE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, FILE_FLAG_DELETE_ON_CLOSE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE False 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\cached-consensus desired_access = DELETE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, FILE_FLAG_DELETE_ON_CLOSE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE False 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\unverified-consensus desired_access = DELETE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, FILE_FLAG_DELETE_ON_CLOSE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE False 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\cached-microdesc-consensus desired_access = DELETE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, FILE_FLAG_DELETE_ON_CLOSE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE False 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\unverified-microdesc-consensus desired_access = DELETE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, FILE_FLAG_DELETE_ON_CLOSE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE False 1
Fn
Create \tor\fallback-consensus desired_access = DELETE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, FILE_FLAG_DELETE_ON_CLOSE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE False 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\cached-microdescs desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\cached-microdescs.new desired_access = DELETE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, FILE_FLAG_DELETE_ON_CLOSE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE False 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\cached-descriptors desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\cached-extrainfo desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7993.bin desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\8F3C.bin desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7993.bin desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\8F3C.bin desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\A7BD.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\6DB4.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7993.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\8F3C.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Pipe \device\namedpipe\{d0964750-ef7b-8278-f904-93d63d78776a} open_mode = PIPE_ACCESS_INBOUND, PIPE_ACCESS_OUTBOUND, FILE_FLAG_OVERLAPPED, pipe_mode = PIPE_TYPE_MESSAGE, max_instances = 255 True 1
Fn
Get Info C:\Windows\system32\c_1252.nls type = time True 1
Fn
Get Info C:\Windows\system32\c_1252.nls type = time True 1
Fn
Get Info C:\Windows\system32\c_1252.nls type = time True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\prefs.js type = size True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\6DB4.tmp type = size True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\state.tmp type = file_type True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\A7BD.bi1 type = size True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\8F3C.bin type = file_attributes False 1
Fn
Open STD_INPUT_HANDLE - True 1
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Move C:\Users\CIiHmnxMn6Ps\AppData\Roaming\state source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\state.tmp False 1
Fn
Read C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\prefs.js size = 11465, size_out = 11465 True 1
Fn
Data
Read C:\Windows\SYSTEM32\ntdll.dll size = 4, size_out = 4 True 3
Fn
Data
Read C:\Users\CIIHMN~1\AppData\Local\Temp\6DB4.tmp size = 3162112, size_out = 3162112 True 1
Fn
Read C:\Users\CIIHMN~1\AppData\Local\Temp\A7BD.bi1 size = 125, size_out = 125 True 1
Fn
Data
Read - size = 16, size_out = 16 True 1
Fn
Data
Read C:\Users\CIIHMN~1\AppData\Local\Temp\7993.bin size = 190, size_out = 190 True 1
Fn
Data
Write C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\prefs.js size = 48 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\6DB4.tmp size = 3162112 True 1
Fn
Write C:\Users\CIiHmnxMn6Ps\AppData\Roaming\state.tmp size = 223 True 1
Fn
Data
Write - size = 16 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\7993.bin size = 190 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\8F3C.bin size = 30 True 2
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\8F3C.bin size = 7 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\8F3C.bin size = 106 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\8F3C.bin size = 53 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\8F3C.bin size = 22 True 1
Fn
Data
Delete C:\Users\CIIHMN~1\AppData\Local\Temp\A7BD.bi1 - True 1
Fn
Delete C:\Users\CIIHMN~1\AppData\Local\Temp\7993.bin - True 1
Fn
Registry (305)
+
Operation Key Additional Information Success Count Logfile
Create Key HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\07430283-BA24-D1EC-FC2B-8E95F08FA299 - True 1
Fn
Create Key HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\07430283-BA24-D1EC-FC2B-8E95F08FA299 - True 1
Fn
Create Key HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\07430283-BA24-D1EC-FC2B-8E95F08FA299 - True 1
Fn
Create Key HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\07430283-BA24-D1EC-FC2B-8E95F08FA299 - True 1
Fn
Create Key HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\07430283-BA24-D1EC-FC2B-8E95F08FA299 - True 1
Fn
Create Key HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\07430283-BA24-D1EC-FC2B-8E95F08FA299 - True 1
Fn
Create Key HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\07430283-BA24-D1EC-FC2B-8E95F08FA299\Files - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\07430283-BA24-D1EC-FC2B-8E95F08FA299 - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\07430283-BA24-D1EC-FC2B-8E95F08FA299 - True 1
Fn
Open Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\07430283-BA24-D1EC-FC2B-8E95F08FA299 - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\07430283-BA24-D1EC-FC2B-8E95F08FA299 - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\07430283-BA24-D1EC-FC2B-8E95F08FA299\Run - False 1
Fn
Open Key HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\07430283-BA24-D1EC-FC2B-8E95F08FA299\Config - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\WAB\DLLPath - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows Mail - False 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail - False 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ - False 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\ - False 1
Fn
Read Value HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\07430283-BA24-D1EC-FC2B-8E95F08FA299 value_name = Ini, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\07430283-BA24-D1EC-FC2B-8E95F08FA299 value_name = Client, type = REG_BINARY True 1
Fn
Data
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run value_name = Accocca, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run value_name = Accocca, data = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Amsisigd\Chakmcat.exe, type = REG_SZ True 1
Fn
Read Value HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\07430283-BA24-D1EC-FC2B-8E95F08FA299 value_name = {C2A3A3DE-3990-44FC-D316-7DB8B7AA016C}, type = REG_NONE False 1
Fn
Read Value TreatAs type = REG_NONE False 22
Fn
Read Value - data = 0 True 37
Fn
Read Value - data = Start Menu Cache True 1
Fn
Read Value - value_name = InprocServer32 False 17
Fn
Read Value - data = C:\Windows\system32\shell32.dll True 1
Fn
Read Value - value_name = ThreadingModel, data = Both True 14
Fn
Read Value InprocHandler32 - False 22
Fn
Read Value InprocHandler - False 22
Fn
Read Value - data = Shared Task Scheduler True 1
Fn
Read Value - data = C:\Windows\system32\windows.storage.dll True 1
Fn
Read Value - value_name = ThreadingModel, data = Apartment True 2
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender value_name = DisableAntiSpyware, type = REG_NONE True 2
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection value_name = DisableRealtimeMonitoring, type = REG_NONE False 2
Fn
Read Value - value_name = ActivationType, type = REG_NONE True 12
Fn
Read Value - value_name = Threading, type = REG_NONE True 12
Fn
Read Value - value_name = TrustLevel, type = REG_NONE True 12
Fn
Read Value - value_name = ActivateAsUser, type = REG_NONE False 12
Fn
Read Value - data = Immersive Shell True 1
Fn
Read Value - data = PSFactoryBuffer True 2
Fn
Read Value - data = C:\Windows\System32\ActXPrxy.dll True 1
Fn
Read Value - data = Network List Manager True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance value_name = Rank, type = REG_NONE False 1
Fn
Read Value HKEY_CLASSES_ROOT\AppUserModelId\Windows.SystemToast.SecurityAndMaintenance value_name = DisplayName, type = REG_NONE True 2
Fn
Read Value HKEY_CLASSES_ROOT\AppUserModelId\Windows.SystemToast.SecurityAndMaintenance value_name = IconUri, type = REG_NONE True 1
Fn
Read Value HKEY_CLASSES_ROOT\AppUserModelId\Windows.SystemToast.SecurityAndMaintenance value_name = IconBackgroundColor, type = REG_NONE True 1
Fn
Read Value HKEY_CLASSES_ROOT\AppUserModelId\Windows.SystemToast.SecurityAndMaintenance value_name = CustomActivator, type = REG_NONE True 2
Fn
Read Value - data = NotificationObjFactory True 1
Fn
Read Value - data = C:\Windows\System32\NotificationObjFactory.dll True 1
Fn
Read Value - value_name = ThreadingModel, data = Free True 1
Fn
Read Value - data = tiledatamodelsvc True 1
Fn
Read Value - data = XML DOM Document 6.0 True 1
Fn
Read Value - data = C:\Windows\System32\msxml6.dll True 3
Fn
Read Value - data = XML Schema Cache 6.0 True 1
Fn
Read Value HKEY_CLASSES_ROOT\AppUserModelId\Windows.SystemToast.SecurityAndMaintenance value_name = ForcePersonableToasts, type = REG_NONE False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance value_name = ShowInActionCenter, type = REG_NONE False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Notifications\Current\\Windows.SystemToast.SecurityAndMaintenance\195 value_name = ImageFileUri, type = REG_NONE False 1
Fn
Read Value - data = Windows Push Notification Platform True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Notifications\Current\\Windows.SystemToast.SecurityAndMaintenance\195 value_name = ImageFileUri, type = REG_NONE True 1
Fn
Read Value - data = Activation Manager Shim FTM True 1
Fn
Read Value - data = C:\Windows\system32\activationmanager.dll True 1
Fn
Read Value - data = Windows Push Notification Developer Proxy Stub True 1
Fn
Read Value - data = C:\Windows\System32\wpnapps.dll True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Notifications\Current\\Windows.SystemToast.SecurityAndMaintenance\196 value_name = ImageFileUri, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Notifications\Current\\Windows.SystemToast.SecurityAndMaintenance\196 value_name = ImageFileUri, type = REG_NONE True 1
Fn
Read Value - data = ExecModelProxy True 1
Fn
Read Value - data = C:\Windows\system32\execmodelproxy.dll True 1
Fn
Read Value - data = CLSID_NotificationController True 1
Fn
Read Value - data = CLSID_NotificationController Proxy Stub True 1
Fn
Read Value - data = C:\Windows\system32\NotificationControllerPS.dll True 1
Fn
Read Value - data = Sync root manager True 1
Fn
Read Value - data = C:\Windows\System32\shell32.dll True 1
Fn
Read Value - data = C:\Windows\System32\npmproxy.dll True 1
Fn
Read Value - - False 2
Fn
Read Value - data = C:\Windows\system32\windowscodecs.dll True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows value_name = DisplayVersion, type = REG_NONE False 4
Fn
Read Value HKEY_CURRENT_USER\Control Panel\Desktop value_name = PaintDesktopVersion, type = REG_NONE True 4
Fn
Read Value - data = C:\Windows\system32\dataexchange.dll True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Search value_name = UseApp False 3
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Search value_name = SearchboxTaskbarMode, type = REG_NONE False 3
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\GameDVR value_name = VKToggleGameBar, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\07430283-BA24-D1EC-FC2B-8E95F08FA299 value_name = {DB94E230-7EC4-C521-603F-92C994E3E60D}, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\07430283-BA24-D1EC-FC2B-8E95F08FA299 value_name = TorClient, type = REG_BINARY True 2
Fn
Data
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace value_name = ValidateRegItems False 2
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace value_name = MonitorRegistry, data = 1 True 2
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace value_name = ValidateRegItems False 2
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace value_name = MonitorRegistry False 2
Fn
Read Value - data = CLSID_ImnAccountManager True 1
Fn
Read Value - data = C:\Windows\system32\msoeacct.dll True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows Mail Setup value_name = DelayInitialized, type = REG_NONE False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows Mail Setup value_name = DelayInitialized, type = REG_NONE True 1
Fn
Read Value - data = ContactManager class True 1
Fn
Read Value - data = C:\Program Files\Common Files\System\wab32.dll True 1
Fn
Read Value - data = SAX XML Reader 6.0 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\WAB\DLLPath - False 2
Fn
Write Value HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\07430283-BA24-D1EC-FC2B-8E95F08FA299 value_name = {C2A3A3DE-3990-44FC-D316-7DB8B7AA016C}, size = 8, type = REG_BINARY True 1
Fn
Data
Write Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings value_name = EnableSPDY3_0, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\07430283-BA24-D1EC-FC2B-8E95F08FA299 value_name = {DB94E230-7EC4-C521-603F-92C994E3E60D}, size = 8, type = REG_BINARY True 1
Fn
Data
Write Value HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\07430283-BA24-D1EC-FC2B-8E95F08FA299 value_name = TorClient, size = 46, type = REG_BINARY True 1
Fn
Data
Write Value HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\07430283-BA24-D1EC-FC2B-8E95F08FA299 value_name = Client, size = 40, type = REG_BINARY True 1
Fn
Data
Write Value HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\07430283-BA24-D1EC-FC2B-8E95F08FA299\Files value_name = AAAA1B69FB9D72400E, size = 92, type = REG_BINARY True 1
Fn
Data
Process (81)
+
Operation Process Additional Information Success Count Logfile
Create cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\CIIHMN~1\AppData\Local\Temp\A7BD.bi1" os_pid = 0xef0, creation_flags = CREATE_DEFAULT_ERROR_MODE, CREATE_NO_WINDOW, show_window = SW_HIDE True 1
Fn
Create cmd /C "echo -------- >> C:\Users\CIIHMN~1\AppData\Local\Temp\A7BD.bi1" os_pid = 0xd34, creation_flags = CREATE_DEFAULT_ERROR_MODE, CREATE_NO_WINDOW, show_window = SW_HIDE True 1
Fn
Create "C:\Program Files\Windows Mail\WinMail" OCInstallUserConfigOE os_pid = 0xd24, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE True 1
Fn
Get filename "C:\Program Files\Windows Mail\WinMail" OCInstallUserConfigOE file_name = \Device\HarddiskVolume1\Program Files\Windows Mail\WinMail.exe True 1
Fn
Get Info c:\windows\explorer.exe type = PROCESS_BASIC_INFORMATION True 74
Fn
Get Info "C:\Program Files\Windows Mail\WinMail" OCInstallUserConfigOE type = PROCESS_BASIC_INFORMATION True 1
Fn
Open c:\windows\system32\runtimebroker.exe desired_access = PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\windows\system32\runtimebroker.exe desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_SET_SESSIONID, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_DUP_HANDLE, PROCESS_CREATE_PROCESS, PROCESS_SET_QUOTA, PROCESS_SET_INFORMATION, PROCESS_QUERY_INFORMATION, PROCESS_SUSPEND_RESUME, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE True 1
Fn
Thread (19)
+
Operation Process Additional Information Success Count Logfile
Create c:\windows\system32\runtimebroker.exe proc_address = 0x7ffb3d319fa0, proc_parameter = 0, flags = THREAD_CREATE_SUSPENDED True 1
Fn
Suspend c:\windows\system32\runtimebroker.exe os_tid = 0xe30 True 1
Fn
Suspend c:\windows\explorer.exe os_tid = 0xd3c True 3
Fn
Get Context c:\windows\system32\runtimebroker.exe os_tid = 0xe30 True 2
Fn
Get Context c:\windows\explorer.exe os_tid = 0xd3c True 4
Fn
Set Context c:\windows\system32\runtimebroker.exe os_tid = 0xe30 True 1
Fn
Set Context c:\windows\explorer.exe os_tid = 0xd3c True 1
Fn
Resume c:\windows\system32\runtimebroker.exe os_tid = 0xe30 True 2
Fn
Resume c:\windows\explorer.exe os_tid = 0xd3c True 4
Fn
Memory (23)
+
Operation Process Additional Information Success Count Logfile
Allocate c:\windows\system32\runtimebroker.exe address = 0x963eb10, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 157543192 True 1
Fn
Allocate "C:\Program Files\Windows Mail\WinMail" OCInstallUserConfigOE address = 0x5f0b120, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 99660072 True 1
Fn
Protect c:\windows\system32\runtimebroker.exe address = 0x7ffb3d319fa0, protection = PAGE_EXECUTE_READWRITE, size = 4 True 2
Fn
Protect c:\windows\system32\runtimebroker.exe address = 0x7ffb3d319fa0, protection = PAGE_EXECUTE_READ, size = 4 True 2
Fn
Protect "C:\Program Files\Windows Mail\WinMail" OCInstallUserConfigOE address = 0x7ff72b5076c0, protection = PAGE_EXECUTE_READWRITE, size = 4 True 2
Fn
Protect "C:\Program Files\Windows Mail\WinMail" OCInstallUserConfigOE address = 0x7ff72b5076c0, protection = PAGE_EXECUTE_READ, size = 4 True 2
Fn
Read c:\windows\system32\runtimebroker.exe address = 0x7ffb3d319fa0, size = 4 True 1
Fn
Data
Read "C:\Program Files\Windows Mail\WinMail" OCInstallUserConfigOE address = 0x7ff72a86f000, size = 616 True 1
Fn
Data
Read "C:\Program Files\Windows Mail\WinMail" OCInstallUserConfigOE address = 0x7ff72b500000, size = 4096 True 1
Fn
Data
Read "C:\Program Files\Windows Mail\WinMail" OCInstallUserConfigOE address = 0x7ff72b5000e8, size = 4096 True 1
Fn
Data
Read "C:\Program Files\Windows Mail\WinMail" OCInstallUserConfigOE address = 0x7ff72b509940, size = 40 True 1
Fn
Data
Read "C:\Program Files\Windows Mail\WinMail" OCInstallUserConfigOE address = 0x7ff72b508540, size = 4096 True 1
Fn
Data
Read "C:\Program Files\Windows Mail\WinMail" OCInstallUserConfigOE address = 0x7ff72b5076c0, size = 4 True 1
Fn
Data
Write c:\windows\system32\runtimebroker.exe address = 0x7ffb3d319fa0, size = 4 True 2
Fn
Data
Write c:\windows\system32\runtimebroker.exe address = 0x94282f0000, size = 792 True 1
Fn
Data
Write "C:\Program Files\Windows Mail\WinMail" OCInstallUserConfigOE address = 0x7ff72b5076c0, size = 4 True 2
Fn
Data
Write "C:\Program Files\Windows Mail\WinMail" OCInstallUserConfigOE address = 0x7eac860000, size = 792 True 1
Fn
Data
Module (514)
+
Operation Module Additional Information Success Count Logfile
Load ntdll.dll base_address = 0x0 True 1
Fn
Load KERNEL32.dll base_address = 0x0 True 2
Fn
Load OLEAUT32.dll base_address = 0x0 True 1
Fn
Load ADVAPI32.dll base_address = 0x7ffb3c2d0000 True 1
Fn
Load SHLWAPI.dll base_address = 0x7ffb3a9f0000 True 1
Fn
Load USER32.dll base_address = 0x7ffb3c650000 True 1
Fn
Load PSAPI.DLL base_address = 0x7ffb3cfb0000 True 1
Fn
Load ole32.dll base_address = 0x7ffb3cb20000 True 1
Fn
Load ADVAPI32.DLL base_address = 0x7ffb3c2d0000 True 3
Fn
Load WINHTTP.dll base_address = 0x7ffb333f0000 True 1
Fn
Load WS2_32.dll base_address = 0x0 True 1
Fn
Load CRYPT32.dll base_address = 0x0 True 1
Fn
Load USER32.dll base_address = 0x0 True 1
Fn
Load ADVAPI32.dll base_address = 0x0 True 1
Fn
Load SHELL32.dll base_address = 0x0 True 1
Fn
Load C:\Windows\system32\kernel32.dll base_address = 0x7ffb3d260000 True 1
Fn
Load KERNEL32.DLL base_address = 0x7ffb3d260000 True 2
Fn
Load NETAPI32.DLL base_address = 0x7ffb30240000 True 2
Fn
Load USER32.DLL base_address = 0x7ffb3c650000 True 2
Fn
Load WS2_32.dll base_address = 0x7ffb3c570000 True 1
Fn
Load C:\Windows\system32\iphlpapi.dll base_address = 0x7ffb37410000 True 2
Fn
Get Handle KERNEL32.DLL base_address = 0x7ffb3d260000 True 6
Fn
Get Handle NTDLL.DLL base_address = 0x7ffb3d310000 True 3
Fn
Get Handle kernelbase base_address = 0x7ffb3a800000 True 2
Fn
Get Handle ADVAPI32.DLL base_address = 0x7ffb3c2d0000 True 3
Fn
Get Handle Unknown module name base_address = 0x7ff67bf70000 True 3
Fn
Get Filename OLEAUT32.dll process_name = c:\windows\explorer.exe, file_name_orig = C:\Windows\Explorer.EXE, size = 260 True 1
Fn
Get Filename NTDLL.DLL process_name = c:\windows\explorer.exe, file_name_orig = C:\Windows\SYSTEM32\ntdll.dll, size = 260 True 3
Fn
Get Filename SHELL32.dll process_name = c:\windows\explorer.exe, file_name_orig = C:\Windows\Explorer.EXE, size = 260 True 1
Fn
Get Address - function = _snprintf, ordinal = 0, address_out = 0x5e8fe50 True 1
Fn
Get Address - function = sprintf, ordinal = 0, address_out = 0x5e8fe50 True 1
Fn
Get Address - function = ZwOpenProcess, ordinal = 0, address_out = 0x5e8fe50 True 1
Fn
Get Address - function = ZwOpenProcessToken, ordinal = 0, address_out = 0x5e8fe50 True 1
Fn
Get Address - function = ZwClose, ordinal = 0, address_out = 0x5e8fe50 True 1
Fn
Get Address - function = ZwQueryInformationToken, ordinal = 0, address_out = 0x5e8fe50 True 1
Fn
Get Address - function = strcpy, ordinal = 0, address_out = 0x5e8fe50 True 1
Fn
Get Address - function = NtQuerySystemInformation, ordinal = 0, address_out = 0x5e8fe50 True 1
Fn
Get Address - function = RtlNtStatusToDosError, ordinal = 0, address_out = 0x5e8fe50 True 1
Fn
Get Address - function = ZwQueryInformationProcess, ordinal = 0, address_out = 0x5e8fe50 True 1
Fn
Get Address - function = memcpy, ordinal = 0, address_out = 0x5e8fe50 True 1
Fn
Get Address - function = NtUnmapViewOfSection, ordinal = 0, address_out = 0x5e8fe50 True 1
Fn
Get Address - function = _wcsupr, ordinal = 0, address_out = 0x5e8fe50 True 1
Fn
Get Address - function = _strupr, ordinal = 0, address_out = 0x5e8fe50 True 1
Fn
Get Address - function = memmove, ordinal = 0, address_out = 0x5e8fe50 True 1
Fn
Get Address - function = memset, ordinal = 0, address_out = 0x5e8fe50 True 1
Fn
Get Address - function = wcscpy, ordinal = 0, address_out = 0x5e8fe50 True 1
Fn
Get Address - function = ZwQueryKey, ordinal = 0, address_out = 0x5e8fe50 True 1
Fn
Get Address - function = RtlUpcaseUnicodeString, ordinal = 0, address_out = 0x5e8fe50 True 1
Fn
Get Address - function = RtlFreeUnicodeString, ordinal = 0, address_out = 0x5e8fe50 True 1
Fn
Get Address - function = wcstombs, ordinal = 0, address_out = 0x5e8fe50 True 1
Fn
Get Address - function = RtlAdjustPrivilege, ordinal = 0, address_out = 0x5e8fe50 True 1
Fn
Get Address - function = mbstowcs, ordinal = 0, address_out = 0x5e8fe50 True 1
Fn
Get Address - function = RtlImageNtHeader, ordinal = 0, address_out = 0x5e8fe50 True 1
Fn
Get Address - function = NtMapViewOfSection, ordinal = 0, address_out = 0x5e8fe50 True 1
Fn
Get Address - function = NtCreateSection, ordinal = 0, address_out = 0x5e8fe50 True 1
Fn
Get Address - function = __C_specific_handler, ordinal = 0, address_out = 0x5e8fe50 True 1
Fn
Get Address - function = __chkstk, ordinal = 0, address_out = 0x5e8fe50 True 1
Fn
Get Address - function = CreateFileMappingA, ordinal = 0, address_out = 0x5e8fe50 True 1
Fn
Get Address - function = SetFilePointerEx, ordinal = 0, address_out = 0x5e8fe50 True 1
Fn
Get Address - function = QueueUserWorkItem, ordinal = 0, address_out = 0x5e8fe50 True 1
Fn
Get Address - function = VirtualProtectEx, ordinal = 0, address_out = 0x5e8fe50 True 1
Fn
Get Address - function = GetComputerNameW, ordinal = 0, address_out = 0x5e8fe50 True 1
Fn
Get Address - function = ExpandEnvironmentStringsA, ordinal = 0, address_out = 0x5e8fe50 True 1
Fn
Get Address - function = FindNextFileA, ordinal = 0, address_out = 0x5e8fe50 True 1
Fn
Get Address - function = CompareFileTime, ordinal = 0, address_out = 0x5e8fe50 True 1
Fn
Get Address - function = FindFirstFileA, ordinal = 0, address_out = 0x5e8fe50 True 1
Fn
Get Address - function = GetFileTime, ordinal = 0, address_out = 0x5e8fe50 True 1
Fn
Get Address - function = GetCurrentProcessId, ordinal = 0, address_out = 0x5e8fe50 True 1
Fn
Get Address - function = QueryPerformanceCounter, ordinal = 0, address_out = 0x5e8fe50 True 1
Fn
Get Address - function = GetModuleFileNameA, ordinal = 0, address_out = 0x5e8fe50 True 1
Fn
Get Address - function = CreateDirectoryA, ordinal = 0, address_out = 0x5e8fe50 True 1
Fn
Get Address - function = GetLastError, ordinal = 0, address_out = 0x5e8fe50 True 1
Fn
Get Address - function = HeapFree, ordinal = 0, address_out = 0x5e8fe50 True 1
Fn
Get Address - function = RemoveDirectoryA, ordinal = 0, address_out = 0x5e8fe50 True 1
Fn
Get Address - function = CloseHandle, ordinal = 0, address_out = 0x5e8fe50 True 1
Fn
Get Address - function = LoadLibraryA, ordinal = 0, address_out = 0x5e8fe50 True 1
Fn
Get Address - function = CreateFileA, ordinal = 0, address_out = 0x5e8fe50 True 1
Fn
Get Address - function = DeleteFileA, ordinal = 0, address_out = 0x5e8fe50 True 1
Fn
Get Address - function = lstrcpyA, ordinal = 0, address_out = 0x5e8fe50 True 1
Fn
Get Address - function = lstrlenA, ordinal = 0, address_out = 0x5e8fe50 True 1
Fn
Get Address - function = lstrcatA, ordinal = 0, address_out = 0x5e8fe50 True 1
Fn
Get Address - function = WriteFile, ordinal = 0, address_out = 0x5e8fe50 True 1
Fn
Get Address - function = HeapAlloc, ordinal = 0, address_out = 0x5e8fe50 True 1
Fn
Get Address - function = HeapDestroy, ordinal = 0, address_out = 0x5e8fe50 True 1
Fn
Get Address - function = HeapCreate, ordinal = 0, address_out = 0x5e8fe50 True 1
Fn
Get Address - function = SetEvent, ordinal = 0, address_out = 0x5e8fe50 True 1
Fn
Get Address - function = HeapReAlloc, ordinal = 0, address_out = 0x5e8fe50 True 1
Fn
Get Address - function = GetSystemTimeAsFileTime, ordinal = 0, address_out = 0x5e8fe50 True 1
Fn
Get Address - function = WaitForSingleObject, ordinal = 0, address_out = 0x5e8fe50 True 1
Fn
Get Address - function = SuspendThread, ordinal = 0, address_out = 0x5e8fe50 True 1
Fn
Get Address - function = OpenProcess, ordinal = 0, address_out = 0x5e8fe50 True 1
Fn
Get Address - function = ResumeThread, ordinal = 0, address_out = 0x5e8fe50 True 1
Fn
Get Address - function = lstrcpyW, ordinal = 0, address_out = 0x5e8fe50 True 1
Fn
Get Address - function = lstrcmpiW, ordinal = 0, address_out = 0x5e8fe50 True 1
Fn
Get Address - function = GetModuleHandleA, ordinal = 0, address_out = 0x5e8fe50 True 1
Fn
Get Address - function = CreateThread, ordinal = 0, address_out = 0x5e8fe50 True 1
Fn
Get Address - function = CreateFileW, ordinal = 0, address_out = 0x5e8fe50 True 1
Fn
Get Address - function = SwitchToThread, ordinal = 0, address_out = 0x5e8fe50 True 1
Fn
Get Address - function = lstrcatW, ordinal = 0, address_out = 0x5e8fe50 True 1
Fn
Get Address - function = Sleep, ordinal = 0, address_out = 0x5e8fe50 True 1
Fn
Get Address - function = GetTickCount, ordinal = 0, address_out = 0x5e8fe50 True 1
Fn
Get Address - function = SetWaitableTimer, ordinal = 0, address_out = 0x5e8fe50 True 1
Fn
Get Address - function = CopyFileW, ordinal = 0, address_out = 0x5e8fe50 True 1
Fn
Get Address - function = GetCurrentThreadId, ordinal = 0, address_out = 0x5e8fe50 True 1
Fn
Get Address - function = GetCurrentThread, ordinal = 0, address_out = 0x5e8fe50 True 1
Fn
Get Address - function = DuplicateHandle, ordinal = 0, address_out = 0x5e8fe50 True 1
Fn
Get Address - function = lstrlenW, ordinal = 0, address_out = 0x5e8fe50 True 1
Fn
Get Address - function = CreateEventA, ordinal = 0, address_out = 0x5e8fe50 True 1
Fn
Get Address - function = GetWindowsDirectoryA, ordinal = 0, address_out = 0x5e8fe50 True 1
Fn
Get Address - function = DeleteFileW, ordinal = 0, address_out = 0x5e8fe50 True 1
Fn
Get Address - function = CreateDirectoryW, ordinal = 0, address_out = 0x5e8fe50 True 1
Fn
Get Address - function = GetTempPathA, ordinal = 0, address_out = 0x5e8fe50 True 1
Fn
Get Address - function = lstrcmpiA, ordinal = 0, address_out = 0x5e8fe50 True 1
Fn
Get Address - function = WaitForMultipleObjects, ordinal = 0, address_out = 0x5e8fe50 True 1
Fn
Get Address - function = lstrcmpA, ordinal = 0, address_out = 0x5e8fe50 True 1
Fn
Get Address - function = ResetEvent, ordinal = 0, address_out = 0x5e8fe50 True 1
Fn
Get Address - function = CreateMutexA, ordinal = 0, address_out = 0x5e8fe50 True 1
Fn
Get Address - function = OpenWaitableTimerA, ordinal = 0, address_out = 0x5e8fe50 True 1
Fn
Get Address - function = MapViewOfFile, ordinal = 0, address_out = 0x5e8fe50 True 1
Fn
Get Address - function = OpenMutexA, ordinal = 0, address_out = 0x5e8fe50 True 1
Fn
Get Address - function = UnmapViewOfFile, ordinal = 0, address_out = 0x5e8fe50 True 1
Fn
Get Address - function = ReleaseMutex, ordinal = 0, address_out = 0x5e8fe50 True 1
Fn
Get Address - function = GetVersionExA, ordinal = 0, address_out = 0x5e8fe50 True 1
Fn
Get Address - function = CreateWaitableTimerA, ordinal = 0, address_out = 0x5e8fe50 True 1
Fn
Get Address - function = SetLastError, ordinal = 0, address_out = 0x5e8fe50 True 1
Fn
Get Address - function = InitializeCriticalSection, ordinal = 0, address_out = 0x5e8fe50 True 1
Fn
Get Address - function = EnterCriticalSection, ordinal = 0, address_out = 0x5e8fe50 True 1
Fn
Get Address - function = LeaveCriticalSection, ordinal = 0, address_out = 0x5e8fe50 True 1
Fn
Get Address - function = VirtualAlloc, ordinal = 0, address_out = 0x5e8fe50 True 1
Fn
Get Address - function = UnregisterWait, ordinal = 0, address_out = 0x5e8fe50 True 1
Fn
Get Address - function = VirtualProtect, ordinal = 0, address_out = 0x5e8fe50 True 1
Fn
Get Address - function = RegisterWaitForSingleObject, ordinal = 0, address_out = 0x5e8fe50 True 1
Fn
Get Address - function = TlsAlloc, ordinal = 0, address_out = 0x5e8fe50 True 1
Fn
Get Address - function = TlsGetValue, ordinal = 0, address_out = 0x5e8fe50 True 1
Fn
Get Address - function = LoadLibraryExW, ordinal = 0, address_out = 0x5e8fe50 True 1
Fn
Get Address - function = TlsSetValue, ordinal = 0, address_out = 0x5e8fe50 True 1
Fn
Get Address - function = GetProcAddress, ordinal = 0, address_out = 0x5e8fe50 True 1
Fn
Get Address - function = GetDriveTypeW, ordinal = 0, address_out = 0x5e8fe50 True 1
Fn
Get Address - function = WideCharToMultiByte, ordinal = 0, address_out = 0x5e8fe50 True 1
Fn
Get Address - function = GetLogicalDriveStringsW, ordinal = 0, address_out = 0x5e8fe50 True 1
Fn
Get Address - function = OpenFileMappingA, ordinal = 0, address_out = 0x5e8fe50 True 1
Fn
Get Address - function = GetExitCodeProcess, ordinal = 0, address_out = 0x5e8fe50 True 1
Fn
Get Address - function = LocalFree, ordinal = 0, address_out = 0x5e8fe50 True 1
Fn
Get Address - function = CreateProcessA, ordinal = 0, address_out = 0x5e8fe50 True 1
Fn
Get Address - function = GetFileSize, ordinal = 0, address_out = 0x5e8fe50 True 1
Fn
Get Address - function = lstrcpynA, ordinal = 0, address_out = 0x5e8fe50 True 1
Fn
Get Address - function = Thread32First, ordinal = 0, address_out = 0x5e8fe50 True 1
Fn
Get Address - function = CreateToolhelp32Snapshot, ordinal = 0, address_out = 0x5e8fe50 True 1
Fn
Get Address - function = QueueUserAPC, ordinal = 0, address_out = 0x5e8fe50 True 1
Fn
Get Address - function = OpenThread, ordinal = 0, address_out = 0x5e8fe50 True 1
Fn
Get Address - function = Thread32Next, ordinal = 0, address_out = 0x5e8fe50 True 1
Fn
Get Address - function = ConnectNamedPipe, ordinal = 0, address_out = 0x5e8fe50 True 1
Fn
Get Address - function = GetOverlappedResult, ordinal = 0, address_out = 0x5e8fe50 True 1
Fn
Get Address - function = CancelIo, ordinal = 0, address_out = 0x5e8fe50 True 1
Fn
Get Address - function = DisconnectNamedPipe, ordinal = 0, address_out = 0x5e8fe50 True 1
Fn
Get Address - function = FlushFileBuffers, ordinal = 0, address_out = 0x5e8fe50 True 1
Fn
Get Address - function = CallNamedPipeA, ordinal = 0, address_out = 0x5e8fe50 True 1
Fn
Get Address - function = CreateNamedPipeA, ordinal = 0, address_out = 0x5e8fe50 True 1
Fn
Get Address - function = GetSystemTime, ordinal = 0, address_out = 0x5e8fe50 True 1
Fn
Get Address - function = WaitNamedPipeA, ordinal = 0, address_out = 0x5e8fe50 True 1
Fn
Get Address - function = ReadFile, ordinal = 0, address_out = 0x5e8fe50 True 1
Fn
Get Address - function = SleepEx, ordinal = 0, address_out = 0x5e8fe50 True 1
Fn
Get Address - function = AddVectoredExceptionHandler, ordinal = 0, address_out = 0x5e8fe50 True 1
Fn
Get Address - function = RemoveVectoredExceptionHandler, ordinal = 0, address_out = 0x5e8fe50 True 1
Fn
Get Address - function = OpenEventA, ordinal = 0, address_out = 0x5e8fe50 True 1
Fn
Get Address - function = LocalAlloc, ordinal = 0, address_out = 0x5e8fe50 True 1
Fn
Get Address - function = FreeLibrary, ordinal = 0, address_out = 0x5e8fe50 True 1
Fn
Get Address - function = RaiseException, ordinal = 0, address_out = 0x5e8fe50 True 1
Fn
Get Address - function = VirtualFree, ordinal = 0, address_out = 0x5e8fe50 True 1
Fn
Get Address - function = GetModuleFileNameW, ordinal = 0, address_out = 0x5e8fe50 True 1
Fn
Get Address - function = GetVersion, ordinal = 0, address_out = 0x5e8fe50 True 1
Fn
Get Address - function = GetLocalTime, ordinal = 0, address_out = 0x5e8fe50 True 1
Fn
Get Address - function = QueryPerformanceFrequency, ordinal = 0, address_out = 0x5e8fe50 True 1
Fn
Get Address - function = DeleteCriticalSection, ordinal = 0, address_out = 0x5e8fe50 True 1
Fn
Get Address - function = GetTempFileNameA, ordinal = 0, address_out = 0x5e8fe50 True 1
Fn
Get Address - function = FindNextFileW, ordinal = 0, address_out = 0x5e8fe50 True 1
Fn
Get Address - function = SetEndOfFile, ordinal = 0, address_out = 0x5e8fe50 True 1
Fn
Get Address - function = SetFilePointer, ordinal = 0, address_out = 0x5e8fe50 True 1
Fn
Get Address - function = FindFirstFileW, ordinal = 0, address_out = 0x5e8fe50 True 1
Fn
Get Address - function = RemoveDirectoryW, ordinal = 0, address_out = 0x5e8fe50 True 1
Fn
Get Address - function = GetFileAttributesW, ordinal = 0, address_out = 0x5e8fe50 True 1
Fn
Get Address - function = ExpandEnvironmentStringsW, ordinal = 0, address_out = 0x5e8fe50 True 1
Fn
Get Address - function = FindClose, ordinal = 0, address_out = 0x5e8fe50 True 1
Fn
Get Address - function = 0, ordinal = 9, address_out = 0x5e8fe50 True 1
Fn
Get Address - function = 0, ordinal = 6, address_out = 0x5e8fe50 True 1
Fn
Get Address - function = 0, ordinal = 2, address_out = 0x5e8fe50 True 1
Fn
Get Address - function = 0, ordinal = 8, address_out = 0x5e8fe50 True 1
Fn
Get Address Unknown module name function = IsWow64Process, address_out = 0x7ffb3d27e960 True 1
Fn
Get Address Unknown module name function = ConvertStringSecurityDescriptorToSecurityDescriptorA, address_out = 0x7ffb3c2ed610 True 1
Fn
Get Address Unknown module name function = StrRChrA, address_out = 0x7ffb3aa04dd0 True 1
Fn
Get Address Unknown module name function = wsprintfA, address_out = 0x7ffb3c672610 True 1
Fn
Get Address Unknown module name function = GetUserNameA, address_out = 0x7ffb3c2fec40 True 1
Fn
Get Address Unknown module name function = GetShellWindow, address_out = 0x7ffb3c674060 True 1
Fn
Get Address Unknown module name function = GetWindowThreadProcessId, address_out = 0x7ffb3c664040 True 1
Fn
Get Address Unknown module name function = EnumProcessModules, address_out = 0x7ffb3cfb1040 True 1
Fn
Get Address Unknown module name function = RegOpenKeyA, address_out = 0x7ffb3c2eb9e0 True 1
Fn
Get Address Unknown module name function = RegQueryValueExA, address_out = 0x7ffb3c2e7dd0 True 1
Fn
Get Address Unknown module name function = RegCloseKey, address_out = 0x7ffb3c2e72e0 True 1
Fn
Get Address Unknown module name function = StrToIntExA, address_out = 0x7ffb3aa04e70 True 1
Fn
Get Address Unknown module name function = StrChrA, address_out = 0x7ffb3aa04cc0 True 1
Fn
Get Address Unknown module name function = StrTrimA, address_out = 0x7ffb3aa04e80 True 1
Fn
Get Address Unknown module name function = RegCreateKeyA, address_out = 0x7ffb3c316dc0 True 1
Fn
Get Address Unknown module name function = CreateStreamOnHGlobal, address_out = 0x7ffb3cc970a0 True 1
Fn
Get Address Unknown module name function = StrStrIA, address_out = 0x7ffb3a9fe1c0 True 1
Fn
Get Address Unknown module name function = WinHttpOpen, address_out = 0x7ffb3340bc40 True 1
Fn
Get Address Unknown module name function = RegQueryValueExW, address_out = 0x7ffb3c2e6c70 True 1
Fn
Get Address Unknown module name function = StrChrW, address_out = 0x7ffb3a9fa2a0 True 1
Fn
Get Address Unknown module name function = PathCombineW, address_out = 0x7ffb3a9fd130 True 1
Fn
Get Address Unknown module name function = RegisterClassA, address_out = 0x7ffb3c671310 True 1
Fn
Get Address Unknown module name function = CreateWindowExA, address_out = 0x7ffb3c674df0 True 1
Fn
Get Address Unknown module name function = GetWindowLongPtrA, address_out = 0x7ffb3c65cae0 True 1
Fn
Get Address Unknown module name function = DefWindowProcA, address_out = 0x7ffb3d3a3230 True 1
Fn
Get Address Unknown module name function = SetWindowLongPtrA, address_out = 0x7ffb3c6661f0 True 1
Fn
Get Address Unknown module name function = GetMessageA, address_out = 0x7ffb3c66aa50 True 1
Fn
Get Address Unknown module name function = TranslateMessage, address_out = 0x7ffb3c6636a0 True 1
Fn
Get Address Unknown module name function = DispatchMessageA, address_out = 0x7ffb3c6761e0 True 1
Fn
Get Address Unknown module name function = StrRChrW, address_out = 0x7ffb3a9fdd80 True 1
Fn
Get Address Unknown module name function = PathFindFileNameA, address_out = 0x7ffb3a9fcf30 True 1
Fn
Get Address Unknown module name function = RegSetValueExA, address_out = 0x7ffb3c2d2680 True 1
Fn
Get Address Unknown module name function = WinHttpConnect, address_out = 0x7ffb33409550 True 1
Fn
Get Address Unknown module name function = WinHttpOpenRequest, address_out = 0x7ffb33409c10 True 1
Fn
Get Address Unknown module name function = WinHttpQueryOption, address_out = 0x7ffb333f1900 True 1
Fn
Get Address Unknown module name function = WinHttpSetOption, address_out = 0x7ffb33407a20 True 1
Fn
Get Address Unknown module name function = WinHttpSendRequest, address_out = 0x7ffb33408330 True 1
Fn
Get Address Unknown module name function = RtlExitUserThread, address_out = 0x7ffb3d319fa0 True 1
Fn
Get Address Unknown module name function = CreateRemoteThread, address_out = 0x7ffb3d2a26d0 True 1
Fn
Get Address Unknown module name function = WinHttpReceiveResponse, address_out = 0x7ffb33408c80 True 1
Fn
Get Address Unknown module name function = WinHttpQueryHeaders, address_out = 0x7ffb33406d90 True 1
Fn
Get Address Unknown module name function = WinHttpQueryDataAvailable, address_out = 0x7ffb33416ac0 True 1
Fn
Get Address Unknown module name function = WinHttpReadData, address_out = 0x7ffb33404200 True 1
Fn
Get Address Unknown module name function = StrCmpIW, address_out = 0x7ffb3a9fbe50 True 1
Fn
Get Address Unknown module name function = PathFindExtensionA, address_out = 0x7ffb3aa04800 True 1
Fn
Get Address Unknown module name function = WinHttpCloseHandle, address_out = 0x7ffb33405860 True 1
Fn
Get Address - function = HeapDestroy, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = CreateThread, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = CreateEventW, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = GetLastError, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = SetEvent, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = CloseHandle, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = WaitForMultipleObjects, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = DeleteFileA, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = RemoveDirectoryA, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = CreateDirectoryA, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = HeapCreate, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = SetEnvironmentVariableA, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = CompareStringW, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = CompareStringA, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = ReleaseMutex, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = WaitForSingleObject, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = CreateMutexW, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = HeapFree, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = HeapReAlloc, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = SetLastError, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = HeapAlloc, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = DisableThreadLibraryCalls, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = Sleep, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = FindFirstFileW, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = PeekNamedPipe, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = SetHandleInformation, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = OpenProcess, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = GetSystemDirectoryW, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = LoadLibraryW, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = GetExitCodeProcess, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = CreateProcessA, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = TerminateProcess, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = ReadFile, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = FindClose, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = CreatePipe, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = FindNextFileW, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = GetFileSize, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = MapViewOfFile, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = UnmapViewOfFile, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = GetSystemTimeAsFileTime, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = InitializeCriticalSection, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = FormatMessageW, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = GetVersionExW, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = LeaveCriticalSection, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = CreateFileW, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = EnterCriticalSection, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = CreateFileMappingW, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = GetSystemInfo, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = DeleteCriticalSection, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = GetCurrentThreadId, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = LocalFree, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = GetTempPathW, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = FreeLibrary, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = GetProcAddress, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = GetModuleHandleW, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = WriteFile, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = MultiByteToWideChar, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = GetStdHandle, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = GetFileType, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = GetVersion, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = GlobalMemoryStatus, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = QueryPerformanceCounter, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = GetTickCount, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = GetCurrentProcessId, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = WideCharToMultiByte, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = LoadLibraryA, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = FlushConsoleInputBuffer, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = SystemTimeToFileTime, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = GetSystemTime, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = InitializeCriticalSectionAndSpinCount, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = PostQueuedCompletionStatus, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = QueryPerformanceFrequency, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = LocalAlloc, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = FlsSetValue, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = GetCommandLineA, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = GetDateFormatA, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = GetTimeFormatA, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = ExitProcess, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = FileTimeToSystemTime, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = FileTimeToLocalFileTime, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = GetFileInformationByHandle, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = GetDriveTypeA, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = FindFirstFileA, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = MoveFileA, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = ExitThread, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = ResumeThread, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = LockFile, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = UnlockFile, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = SetFileTime, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = LocalFileTimeToFileTime, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = GetFullPathNameA, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = SetFilePointer, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = UnhandledExceptionFilter, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = SetUnhandledExceptionFilter, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = RtlCaptureContext, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = SetConsoleCtrlHandler, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = ReadConsoleInputA, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = SetConsoleMode, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = GetConsoleMode, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = CreateFileA, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = GetCurrentProcess, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = IsDebuggerPresent, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = RtlVirtualUnwind, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = RtlLookupFunctionEntry, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = GetCPInfo, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = GetACP, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = GetOEMCP, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = IsValidCodePage, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = EncodePointer, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = DecodePointer, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = FlsGetValue, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = FlsFree, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = FlsAlloc, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = SetHandleCount, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = GetStartupInfoA, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = GetModuleFileNameA, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = FreeEnvironmentStringsA, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = GetEnvironmentStrings, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = FreeEnvironmentStringsW, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = GetEnvironmentStringsW, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = HeapSetInformation, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = RtlUnwindEx, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = GetTimeZoneInformation, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = HeapSize, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = SetStdHandle, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = GetCurrentDirectoryA, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = GetConsoleCP, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = LCMapStringA, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = LCMapStringW, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = FlushFileBuffers, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = SetEndOfFile, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = GetProcessHeap, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = GetStringTypeA, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = GetStringTypeW, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = GetLocaleInfoA, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = WriteConsoleA, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = GetConsoleOutputCP, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = WriteConsoleW, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = RaiseException, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = 0, ordinal = 22, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = 0, ordinal = 112, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = 0, ordinal = 17, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = 0, ordinal = 20, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = 0, ordinal = 52, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = 0, ordinal = 57, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = 0, ordinal = 111, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = 0, ordinal = 23, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = 0, ordinal = 3, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = 0, ordinal = 1, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = 0, ordinal = 16, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = 0, ordinal = 19, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = 0, ordinal = 4, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = 0, ordinal = 21, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = 0, ordinal = 2, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = 0, ordinal = 7, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = 0, ordinal = 13, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = 0, ordinal = 14, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = 0, ordinal = 8, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = 0, ordinal = 15, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = 0, ordinal = 115, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = 0, ordinal = 18, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = 0, ordinal = 10, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = 0, ordinal = 116, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = 0, ordinal = 9, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = 0, ordinal = 6, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = CertOpenStore, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = CertFreeCertificateContext, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = CertFindCertificateInStore, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = CertCloseStore, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = CertGetCertificateContextProperty, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = CertEnumCertificatesInStore, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = CertDuplicateCertificateContext, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = GetProcessWindowStation, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = GetUserObjectInformationW, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = MessageBoxW, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = CryptSignHashW, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = CryptGetProvParam, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = CryptCreateHash, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = CryptDestroyKey, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = CryptDecrypt, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = CryptDestroyHash, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = CryptGetUserKey, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = CryptAcquireContextW, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = CryptGenRandom, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = RegQueryValueExW, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = RegOpenKeyExW, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = RegCloseKey, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = RegisterEventSourceW, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = DeregisterEventSource, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = ReportEventW, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = CryptSetHashParam, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = CryptExportKey, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = CryptReleaseContext, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = CryptEnumProvidersW, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = SHGetPathFromIDListW, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = SHGetMalloc, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address - function = SHGetSpecialFolderLocation, ordinal = 0, address_out = 0x5f0f3a0 True 1
Fn
Get Address Unknown module name function = GetTickCount64, address_out = 0x7ffb3d2765a0 True 1
Fn
Get Address Unknown module name function = GetTickCount, address_out = 0x7ffb3d2760a0 True 1
Fn
Get Address Unknown module name function = NetStatisticsGet, address_out = 0x7ffb30242480 True 2
Fn
Get Address Unknown module name function = NetApiBufferFree, address_out = 0x7ffb38f91930 True 2
Fn
Get Address Unknown module name function = CryptAcquireContextW, address_out = 0x7ffb3c2e89e0 True 2
Fn
Get Address Unknown module name function = CryptGenRandom, address_out = 0x7ffb3c2e90d0 True 2
Fn
Get Address Unknown module name function = CryptReleaseContext, address_out = 0x7ffb3c2e8ee0 True 2
Fn
Get Address Unknown module name function = _OPENSSL_isservice, address_out = 0x0 False 1
Fn
Get Address Unknown module name function = GetForegroundWindow, address_out = 0x7ffb3c680010 True 2
Fn
Get Address Unknown module name function = GetCursorInfo, address_out = 0x7ffb3c683480 True 2
Fn
Get Address Unknown module name function = GetQueueStatus, address_out = 0x7ffb3c66ae40 True 2
Fn
Get Address Unknown module name function = CreateToolhelp32Snapshot, address_out = 0x7ffb3d286830 True 2
Fn
Get Address Unknown module name function = CloseToolhelp32Snapshot, address_out = 0x0 False 2
Fn
Get Address Unknown module name function = Heap32First, address_out = 0x7ffb3d2a4d30 True 2
Fn
Get Address Unknown module name function = Heap32Next, address_out = 0x7ffb3d2a5150 True 2
Fn
Get Address Unknown module name function = Heap32ListFirst, address_out = 0x7ffb3d2a4f80 True 2
Fn
Get Address Unknown module name function = Heap32ListNext, address_out = 0x7ffb3d2a5070 True 2
Fn
Get Address Unknown module name function = Process32First, address_out = 0x7ffb3d2a55f0 True 2
Fn
Get Address Unknown module name function = Process32Next, address_out = 0x7ffb3d2a56e0 True 2
Fn
Get Address Unknown module name function = Thread32First, address_out = 0x7ffb3d2801b0 True 2
Fn
Get Address Unknown module name function = Thread32Next, address_out = 0x7ffb3d276720 True 2
Fn
Get Address Unknown module name function = Module32First, address_out = 0x7ffb3d2a53b0 True 2
Fn
Get Address Unknown module name function = Module32Next, address_out = 0x7ffb3d2a54d0 True 2
Fn
Get Address Unknown module name function = 115, address_out = 0x7ffb3c5730c0 True 1
Fn
Get Address Unknown module name function = 52, address_out = 0x7ffb3c59aab0 True 1
Fn
Get Address Unknown module name function = 116, address_out = 0x7ffb3c583ce0 True 1
Fn
Get Address Unknown module name function = RegNotifyChangeKeyValue, address_out = 0x7ffb3c2e8fd0 True 1
Fn
Get Address Unknown module name function = CoInitializeEx, address_out = 0x7ffb3cce3170 True 1
Fn
Get Address Unknown module name function = CoCreateInstance, address_out = 0x7ffb3ccf7000 True 1
Fn
Get Address Unknown module name function = PathFindFileNameW, address_out = 0x7ffb3a9fb610 True 1
Fn
Get Address Unknown module name function = GetProcessImageFileNameW, address_out = 0x7ffb3cfb10a0 True 1
Fn
Get Address Unknown module name function = wsprintfW, address_out = 0x7ffb3c67b1d0 True 1
Fn
Get Address Unknown module name function = RegQueryValueA, address_out = 0x7ffb3c318180 True 1
Fn
Get Address Unknown module name function = RegOpenKeyExW, address_out = 0x7ffb3c2e6cb0 True 1
Fn
Get Address Unknown module name function = StrDupW, address_out = 0x7ffb3a9fd270 True 1
Fn
Get Address Unknown module name function = CoCreateGuid, address_out = 0x7ffb3cce2340 True 1
Fn
Get Address Unknown module name function = CoUninitialize, address_out = 0x7ffb3cce2380 True 1
Fn
Create Mapping - protection = PAGE_EXECUTE_READWRITE, maximum_size = 157544624 True 1
Fn
Create Mapping - protection = PAGE_EXECUTE_READWRITE, maximum_size = 99661504 True 1
Fn
Map - process_name = c:\windows\explorer.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0xf3c0000 True 1
Fn
Map - process_name = c:\windows\system32\runtimebroker.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x942a670000 True 1
Fn
Map - process_name = c:\windows\explorer.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0xa340000 True 1
Fn
Map - process_name = "C:\Program Files\Windows Mail\WinMail" OCInstallUserConfigOE, protection = PAGE_EXECUTE_READWRITE, address_out = 0x7eac890000 True 1
Fn
Window (1)
+
Operation Window Name Additional Information Success Count Logfile
Create - class_name = {9696FF0D-1508-34C7-917A-554EEBBC4FB0}, wndproc_parameter = 249366880 True 1
Fn
System (599)
+
Operation Additional Information Success Count Logfile
Sleep duration = -1 (infinite) False 2
Fn
Sleep duration = -1 (infinite) True 7
Fn
Sleep duration = 0 milliseconds (0.000 seconds) True 1
Fn
Get Time type = System Time, time = 2017-12-11 16:43:38 (UTC) True 1
Fn
Get Time type = System Time, time = 2017-12-11 16:43:39 (UTC) True 2
Fn
Get Time type = Ticks, time = 140390 True 1
Fn
Get Time type = System Time, time = 2017-12-11 16:43:54 (UTC) True 2
Fn
Get Time type = System Time, time = 2017-12-11 16:43:58 (UTC) True 21
Fn
Get Time type = Ticks, time = 159593 True 1
Fn
Get Time type = Ticks, time = 159734 True 2
Fn
Get Time type = Ticks, time = 160062 True 1
Fn
Get Time type = Ticks, time = 160453 True 1
Fn
Get Time type = Ticks, time = 160718 True 1
Fn
Get Time type = Ticks, time = 160890 True 1
Fn
Get Time type = Ticks, time = 161078 True 1
Fn
Get Time type = Ticks, time = 161093 True 8
Fn
Get Time type = Ticks, time = 161109 True 6
Fn
Get Time type = Ticks, time = 161125 True 7
Fn
Get Time type = Ticks, time = 161140 True 7
Fn
Get Time type = Ticks, time = 161171 True 8
Fn
Get Time type = Ticks, time = 161187 True 9
Fn
Get Time type = Ticks, time = 161203 True 9
Fn
Get Time type = Ticks, time = 161218 True 5
Fn
Get Time type = Ticks, time = 162453 True 1
Fn
Get Time type = Ticks, time = 162921 True 1
Fn
Get Time type = Ticks, time = 163281 True 1
Fn
Get Time type = Ticks, time = 163640 True 9
Fn
Get Time type = Ticks, time = 163656 True 8
Fn
Get Time type = Ticks, time = 163671 True 6
Fn
Get Time type = Ticks, time = 163687 True 6
Fn
Get Time type = Ticks, time = 163703 True 2
Fn
Get Time type = Ticks, time = 163984 True 11
Fn
Get Time type = Ticks, time = 164000 True 7
Fn
Get Time type = Ticks, time = 164015 True 7
Fn
Get Time type = Ticks, time = 164031 True 1
Fn
Get Time type = System Time, time = 2017-12-11 16:44:03 (UTC) True 276
Fn
Get Time type = Ticks, time = 164750 True 1
Fn
Get Time type = Ticks, time = 164765 True 4
Fn
Get Time type = Ticks, time = 164796 True 2
Fn
Get Time type = Ticks, time = 164828 True 2
Fn
Get Time type = Ticks, time = 164859 True 4
Fn
Get Time type = Ticks, time = 164875 True 1
Fn
Get Time type = Ticks, time = 164890 True 2
Fn
Get Time type = Ticks, time = 164906 True 4
Fn
Get Time type = Ticks, time = 164968 True 1
Fn
Get Time type = Ticks, time = 164984 True 1
Fn
Get Time type = Ticks, time = 165062 True 4
Fn
Get Time type = Ticks, time = 165093 True 3
Fn
Get Time type = Ticks, time = 165109 True 2
Fn
Get Time type = Ticks, time = 165140 True 10
Fn
Get Time type = System Time, time = 2017-12-11 16:44:04 (UTC) True 97
Fn
Get Time type = Ticks, time = 165156 True 6
Fn
Get Info type = Operating System True 9
Fn
Get Info type = Operating System True 2
Fn
Get Info type = Hardware Information True 1
Fn
Get Info type = System Directory, result_out = C:\Windows\system32 True 3
Fn
Mutex (9)
+
Operation Additional Information Success Count Logfile
Create mutex_name = {0F90C438-223E-19A7-A4B3-765D18970AE1} True 1
Fn
Create mutex_name = Local\{14572DFD-6357-66D5-8D88-47FA113C6BCE} True 1
Fn
Create mutex_name = Local\{2EBE0010-B5EF-903D-AF42-B9C45396FD38} True 1
Fn
Create mutex_name = Local\{CC210EB6-BBF2-DEC8-A5C0-1FF2A9F4C346} True 1
Fn
Create - True 1
Fn
Open mutex_name = Local\{14572DFD-6357-66D5-8D88-47FA113C6BCE}, desired_access = MUTEX_MODIFY_STATE, SYNCHRONIZE False 1
Fn
Open mutex_name = Local\{2EBE0010-B5EF-903D-AF42-B9C45396FD38}, desired_access = MUTEX_MODIFY_STATE, SYNCHRONIZE False 1
Fn
Open mutex_name = Local\{CC210EB6-BBF2-DEC8-A5C0-1FF2A9F4C346}, desired_access = MUTEX_MODIFY_STATE, SYNCHRONIZE False 1
Fn
Release mutex_name = Local\{14572DFD-6357-66D5-8D88-47FA113C6BCE} True 1
Fn
Environment (1)
+
Operation Additional Information Success Count Logfile
Get Environment String - True 1
Fn
Data
Network Behavior
DNS (1)
+
Operation Additional Information Success Count Logfile
Resolve Name host = 87.142.152.58, address_out = 87.142.152.58 True 1
Fn
TCP Sessions (2)
+
Information Value
Total Data Sent 2.72 KB (2789 bytes)
Total Data Received 22.41 KB (22946 bytes)
Contacted Host Count 2
Contacted Hosts 127.0.0.1:49430, 193.23.244.244:443
TCP Session #1
+
Information Value
Handle 0x2108
Address Family AF_INET
Type SOCK_STREAM
Protocol IPPROTO_IP
Remote Address 127.0.0.1
Remote Port 49430
Local Address -
Local Port -
Data Sent 0.00 KB (0 bytes)
Data Received 0.00 KB (0 bytes)
Operations
Operation Additional Information Success Count Logfile
Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_STREAM True 1
Fn
Connect remote_address = 127.0.0.1, remote_port = 49430 False 1
Fn
TCP Session #2
+
Information Value
Handle 0xcd8
Address Family AF_INET
Type SOCK_STREAM
Protocol IPPROTO_TCP
Remote Address 193.23.244.244
Remote Port 443
Local Address 0.0.0.0
Local Port 49432
Data Sent 2.72 KB (2789 bytes)
Data Received 22.41 KB (22946 bytes)
Operations
Operation Additional Information Success Count Logfile
Create protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM True 1
Fn
Connect remote_address = 193.23.244.244, remote_port = 443 True 1
Fn
Send flags = NO_FLAG_SET, size = 237, size_out = 237 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 7, size_out = -1 False 2
Fn
Receive flags = NO_FLAG_SET, size = 7, size_out = 7 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 60, size_out = 60 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 586, size_out = 586 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 331, size_out = 331 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 4, size_out = 4 True 1
Fn
Data
Send flags = NO_FLAG_SET, size = 134, size_out = 134 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = -1 False 1
Fn
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 1, size_out = 1 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 48, size_out = 48 True 1
Fn
Data
Send flags = NO_FLAG_SET, size = 74, size_out = 74 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 32, size_out = 32 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 2048, size_out = 2048 True 1
Fn
Data
Send flags = NO_FLAG_SET, size = 586, size_out = 586 True 2
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 32, size_out = 32 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 544, size_out = 544 True 1
Fn
Data
Send flags = NO_FLAG_SET, size = 586, size_out = 586 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 32, size_out = 32 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 544, size_out = 544 True 1
Fn
Data
Send flags = NO_FLAG_SET, size = 586, size_out = 586 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 32, size_out = 32 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 4080, size_out = 4080 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 32, size_out = 32 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 4080, size_out = 4080 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 32, size_out = 32 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 640, size_out = 640 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 32, size_out = 32 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 4080, size_out = 4080 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 32, size_out = 32 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 4080, size_out = 4080 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 32, size_out = 32 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 640, size_out = 640 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 32, size_out = 32 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 4080, size_out = 728 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 3352, size_out = -1 False 1
Fn
UDP Sessions (2)
+
Information Value
Total Data Sent 0.00 KB (0 bytes)
Total Data Received 0.00 KB (0 bytes)
Contacted Host Count 1
Contacted Hosts 18.0.0.1:9
UDP Session #1
+
Information Value
Handle 0x1180
Address Family AF_INET
Type SOCK_DGRAM
Protocol IPPROTO_UDP
Local Address -
Local Port -
Data Sent 0.00 KB (0 bytes)
Data Received 0.00 KB (0 bytes)
Operations
Operation Additional Information Success Count Logfile
Create protocol = IPPROTO_UDP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Connect remote_address = 18.0.0.1, remote_port = 9 False 1
Fn
Close type = SOCK_DGRAM True 1
Fn
UDP Session #2
+
Information Value
Handle 0x1180
Address Family AF_INET
Type SOCK_DGRAM
Protocol IPPROTO_UDP
Local Address -
Local Port -
Data Sent 0.00 KB (0 bytes)
Data Received 0.00 KB (0 bytes)
Operations
Operation Additional Information Success Count Logfile
Create protocol = IPPROTO_UDP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Connect remote_address = 18.0.0.1, remote_port = 9 False 1
Fn
Close type = SOCK_DGRAM True 1
Fn
TCP Server (1)
+
Operation Additional Information Success Count Logfile
Listen local_address = 127.0.0.1, local_port = 49430, queue_length = 1, hint = "OS assigned a local port from the dynamic client port range." True 1
Fn
HTTP Sessions (1)
+
Information Value
Total Data Sent 0.17 KB (175 bytes)
Total Data Received 3.02 MB (3162891 bytes)
Contacted Host Count 1
Contacted Hosts titanliquor.ca
HTTP Session #1
+
Information Value
Server Name titanliquor.ca
Server Port 80
Data Sent 0.17 KB (175 bytes)
Data Received 3.02 MB (3162891 bytes)
Operations
Operation Additional Information Success Count Logfile
Open Session access_type = WINHTTP_ACCESS_TYPE_AUTOMATIC_PROXY, flags = WINHTTP_FLAG_SYNC True 1
Fn
Open Connection protocol = HTTP, server_name = titanliquor.ca, server_port = 80 True 1
Fn
Open HTTP Request http_verb = GET, http_version = HTTP 1.1, target_resource = /images/A/2.tif, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE True 1
Fn
Send HTTP Request headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = titanliquor.ca/images/A/2.tif True 1
Fn
Query HTTP Info flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 True 1
Fn
Data
Query HTTP Info flags = HTTP_QUERY_RAW_HEADERS_CRLF False 1
Fn
Query HTTP Info flags = HTTP_QUERY_RAW_HEADERS_CRLF, size_out = 710 True 1
Fn
Data
Read Response size = 3693, size_out = 3693 True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 2
Fn
Data
Read Response size = 2280, size_out = 2280 True 1
Fn
Data
Read Response size = 2904, size_out = 2904 True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 4
Fn
Data
Read Response size = 2492, size_out = 2492 True 1
Fn
Data
Read Response size = 2904, size_out = 2904 True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 2
Fn
Data
Read Response size = 520, size_out = 520 True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 1
Fn
Data
Read Response size = 1712, size_out = 1712 True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 2
Fn
Data
Read Response size = 3424, size_out = 3424 True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 11
Fn
Data
Read Response size = 1408, size_out = 1408 True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 2
Fn
Data
Read Response size = 3424, size_out = 3424 True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 2
Fn
Data
Read Response size = 3424, size_out = 3424 True 1
Fn
Data
Read Response size = 2904, size_out = 2904 True 3
Fn
Data
Read Response size = 4096, size_out = 4096 True 2
Fn
Data
Read Response size = 1972, size_out = 1972 True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 2
Fn
Data
Read Response size = 3424, size_out = 3424 True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 2
Fn
Data
Read Response size = 1972, size_out = 1972 True 1
Fn
Data
Read Response size = 2904, size_out = 2904 True 2
Fn
Data
Read Response size = 4096, size_out = 4096 True 2
Fn
Data
Read Response size = 1972, size_out = 1972 True 1
Fn
Data
Read Response size = 1452, size_out = 1452 True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 3
Fn
Data
Read Response size = 2232, size_out = 2232 True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 8
Fn
Data
Read Response size = 2080, size_out = 2080 True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 2
Fn
Data
Read Response size = 3424, size_out = 3424 True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 1
Fn
Data
Read Response size = 1712, size_out = 1712 True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 14
Fn
Data
Read Response size = 736, size_out = 736 True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 3
Fn
Data
Read Response size = 780, size_out = 780 True 1
Fn
Data
Read Response size = 2904, size_out = 2904 True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 1
Fn
Data
Read Response size = 1712, size_out = 1712 True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 12
Fn
Data
Read Response size = 3120, size_out = 3120 True 1
Fn
Data
Read Response size = 2904, size_out = 2904 True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 2
Fn
Data
Read Response size = 520, size_out = 520 True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 2
Fn
Data
Read Response size = 3424, size_out = 3424 True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 1
Fn
Data
Read Response size = 260, size_out = 260 True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 13
Fn
Data
Read Response size = 3380, size_out = 3380 True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 1
Fn
Data
Read Response size = 3164, size_out = 3164 True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 10
Fn
Data
Read Response size = 2600, size_out = 2600 True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 1
Fn
Data
Read Response size = 1712, size_out = 1712 True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 11
Fn
Data
Read Response size = 1408, size_out = 1408 True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 2
Fn
Data
Read Response size = 520, size_out = 520 True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 2
Fn
Data
Read Response size = 520, size_out = 520 True 1
Fn
Data
Read Response size = 1452, size_out = 1452 True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 3
Fn
Data
Read Response size = 780, size_out = 780 True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 2
Fn
Data
Read Response size = 1972, size_out = 1972 True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 3
Fn
Data
Read Response size = 3684, size_out = 3684 True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 1
Fn
Data
Read Response size = 1712, size_out = 1712 True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 36
Fn
Data
Read Response size = 3552, size_out = 3552 True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 3
Fn
Data
Read Response size = 780, size_out = 780 True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 1
Fn
Data
Read Response size = 3164, size_out = 3164 True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 2
Fn
Data
Read Response size = 3424, size_out = 3424 True 1
Fn
Data
Read Response size = 2904, size_out = 2904 True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 3
Fn
Data
Read Response size = 780, size_out = 780 True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 3
Fn
Data
Read Response size = 2232, size_out = 2232 True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 3
Fn
Data
Read Response size = 780, size_out = 780 True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 3
Fn
Data
Read Response size = 2232, size_out = 2232 True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 4
Fn
Data
Read Response size = 1040, size_out = 1040 True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 2
Fn
Data
Read Response size = 3424, size_out = 3424 True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 1
Fn
Data
Read Response size = 3164, size_out = 3164 True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 2
Fn
Data
Read Response size = 520, size_out = 520 True 1
Fn
Data
Read Response size = 1452, size_out = 1452 True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 2
Fn
Data
Read Response size = 1972, size_out = 1972 True 1
Fn
Data
Read Response size = 1452, size_out = 1452 True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 1
Fn
Data
Read Response size = 260, size_out = 260 True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 7
Fn
Data
Read Response size = 368, size_out = 368 True 1
Fn
Data
Read Response size = 1452, size_out = 1452 True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 13
Fn
Data
Read Response size = 476, size_out = 476 True 1
Fn
Data
Read Response size = 1452, size_out = 1452 True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 3
Fn
Data
Read Response size = 780, size_out = 780 True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 516
Fn
Data
Read Response size = 3556, size_out = 3556 True 1
Fn
Data
Close Session - True 1
Fn
Process #10: runtimebroker.exe
(Host: 210, Network: 0)
+
Information Value
ID #10
File Name c:\windows\system32\runtimebroker.exe
Command Line C:\Windows\System32\RuntimeBroker.exe -Embedding
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:01:03, Reason: Injection
Unmonitor End Time: 00:02:20, Reason: Terminated by Timeout
Monitor Duration 00:01:17
OS Process Information
+
Information Value
PID 0x85c
Parent PID 0x248 (c:\windows\system32\svchost.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username LHNIWSJ\CIiHmnxMn6Ps
Groups
  • LHNIWSJ\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Local account and member of Administrators group (USE_FOR_DENY_ONLY)
  • BUILTIN\Administrators (USE_FOR_DENY_ONLY)
  • BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Local account (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Logon Session 00000000:00013d92 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID)
  • LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x BF4
0x B34
0x 888
0x 880
0x 87C
0x 874
0x 860
0x E30
0x E2C
0x 478
0x F38
0x ED8
Region
+
Name Start VA End VA Type Permissions Monitored Dump YARA Match Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False
pagefile_0x0000009427ea0000 0x9427ea0000 0x9427eaffff Pagefile Backed Memory Readable, Writable True False False
private_0x0000009427eb0000 0x9427eb0000 0x9427eb0fff Private Memory Readable, Writable True False False
pagefile_0x0000009427ec0000 0x9427ec0000 0x9427ed3fff Pagefile Backed Memory Readable True False False
private_0x0000009427ee0000 0x9427ee0000 0x9427f5ffff Private Memory Readable, Writable True False False
pagefile_0x0000009427f60000 0x9427f60000 0x9427f63fff Pagefile Backed Memory Readable True False False
pagefile_0x0000009427f70000 0x9427f70000 0x9427f71fff Pagefile Backed Memory Readable True False False
private_0x0000009427f80000 0x9427f80000 0x9427f81fff Private Memory Readable, Writable True False False
private_0x0000009427f90000 0x9427f90000 0x9427f90fff Private Memory Readable, Writable True False False
pagefile_0x0000009427fa0000 0x9427fa0000 0x9427fa0fff Pagefile Backed Memory Readable True False False
private_0x0000009427fb0000 0x9427fb0000 0x9427fb6fff Private Memory Readable, Writable True False False
pagefile_0x0000009427fc0000 0x9427fc0000 0x9427fc0fff Pagefile Backed Memory Readable True False False
pagefile_0x0000009427fd0000 0x9427fd0000 0x9427ff9fff Pagefile Backed Memory Readable, Writable True False False
private_0x0000009428000000 0x9428000000 0x94280fffff Private Memory Readable, Writable True False False
locale.nls 0x9428100000 0x94281bdfff Memory Mapped File Readable False False False
private_0x00000094281c0000 0x94281c0000 0x942823ffff Private Memory Readable, Writable True False False
pagefile_0x0000009428240000 0x9428240000 0x9428242fff Pagefile Backed Memory Readable True False False
pagefile_0x0000009428250000 0x9428250000 0x9428250fff Pagefile Backed Memory Readable, Writable True False False
pagefile_0x0000009428260000 0x9428260000 0x9428260fff Pagefile Backed Memory Readable, Writable True False False
windows.storage.dll.mui 0x9428270000 0x9428277fff Memory Mapped File Readable False False False
cversions.2.db 0x9428280000 0x9428283fff Memory Mapped File Readable True False False
private_0x0000009428290000 0x9428290000 0x9428296fff Private Memory Readable, Writable True False False
{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000012.db 0x94282a0000 0x94282c1fff Memory Mapped File Readable True False False
pagefile_0x00000094282d0000 0x94282d0000 0x94282d0fff Pagefile Backed Memory Readable, Writable True False False
cversions.2.db 0x94282e0000 0x94282e3fff Memory Mapped File Readable True False False
private_0x00000094282f0000 0x94282f0000 0x94282f0fff Private Memory Readable, Writable, Executable True False False
private_0x0000009428300000 0x9428300000 0x94283fffff Private Memory Readable, Writable True False False
private_0x0000009428400000 0x9428400000 0x942847ffff Private Memory Readable, Writable True False False
pagefile_0x0000009428480000 0x9428480000 0x9428607fff Pagefile Backed Memory Readable True False False
pagefile_0x0000009428610000 0x9428610000 0x9428790fff Pagefile Backed Memory Readable True False False
pagefile_0x00000094287a0000 0x94287a0000 0x9429b9ffff Pagefile Backed Memory Readable True False False
sortdefault.nls 0x9429ba0000 0x9429ed6fff Memory Mapped File Readable False False False
private_0x0000009429ee0000 0x9429ee0000 0x9429f5ffff Private Memory Readable, Writable True False False
private_0x0000009429f60000 0x9429f60000 0x9429fdffff Private Memory Readable, Writable True False False
private_0x0000009429fe0000 0x9429fe0000 0x942a05ffff Private Memory Readable, Writable True False False
private_0x000000942a060000 0x942a060000 0x942a0c8fff Private Memory Readable, Writable True False False
private_0x000000942a060000 0x942a060000 0x942a061fff Private Memory Readable, Writable True False False
private_0x000000942a0c0000 0x942a0c0000 0x942a0c8fff Private Memory Readable, Writable True False False
private_0x000000942a0e0000 0x942a0e0000 0x942a15ffff Private Memory Readable, Writable True False False
{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000007.db 0x942a160000 0x942a1a2fff Memory Mapped File Readable True False False
private_0x000000942a1b0000 0x942a1b0000 0x942a1b6fff Private Memory Readable, Writable True False False
propsys.dll.mui 0x942a1c0000 0x942a1d0fff Memory Mapped File Readable False False False
private_0x000000942a200000 0x942a200000 0x942a2fffff Private Memory Readable, Writable True False False
private_0x000000942a300000 0x942a300000 0x942a3fffff Private Memory Readable, Writable True False False
private_0x000000942a400000 0x942a400000 0x942a47ffff Private Memory Readable, Writable True False False
kernelbase.dll.mui 0x942a500000 0x942a5defff Memory Mapped File Readable False False False
{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db 0x942a5e0000 0x942a66afff Memory Mapped File Readable True False False
pagefile_0x000000942a670000 0x942a670000 0x942a701fff Pagefile Backed Memory Readable, Writable, Executable True False False
private_0x000000942a710000 0x942a710000 0x942a90ffff Private Memory Readable, Writable True False False
private_0x000000942a800000 0x942a800000 0x942a8fffff Private Memory Readable, Writable True False False
private_0x000000942a900000 0x942a900000 0x942aafffff Private Memory Readable, Writable True False False
private_0x000000942a900000 0x942a900000 0x942a9fffff Private Memory Readable, Writable True False False
private_0x000000942aa00000 0x942aa00000 0x942abfffff Private Memory Readable, Writable True False False
private_0x000000942aa00000 0x942aa00000 0x942aafffff Private Memory Readable, Writable True False False
private_0x000000942ab00000 0x942ab00000 0x942acfffff Private Memory Readable, Writable True False False
private_0x000000942ab00000 0x942ab00000 0x942abfffff Private Memory Readable, Writable True False False
pagefile_0x00007df5ff630000 0x7df5ff630000 0x7ff5ff62ffff Pagefile Backed Memory - True False False
private_0x00007ff7186e8000 0x7ff7186e8000 0x7ff7186e9fff Private Memory Readable, Writable True False False
private_0x00007ff7186ea000 0x7ff7186ea000 0x7ff7186ebfff Private Memory Readable, Writable True False False
private_0x00007ff7186ee000 0x7ff7186ee000 0x7ff7186effff Private Memory Readable, Writable True False False
pagefile_0x00007ff7186f0000 0x7ff7186f0000 0x7ff7187effff Pagefile Backed Memory Readable True False False
pagefile_0x00007ff7187f0000 0x7ff7187f0000 0x7ff718812fff Pagefile Backed Memory Readable True False False
private_0x00007ff718814000 0x7ff718814000 0x7ff718814fff Private Memory Readable, Writable True False False
private_0x00007ff718816000 0x7ff718816000 0x7ff718817fff Private Memory Readable, Writable True False False
private_0x00007ff718818000 0x7ff718818000 0x7ff718819fff Private Memory Readable, Writable True False False
private_0x00007ff71881a000 0x7ff71881a000 0x7ff71881bfff Private Memory Readable, Writable True False False
private_0x00007ff71881c000 0x7ff71881c000 0x7ff71881dfff Private Memory Readable, Writable True False False
private_0x00007ff71881e000 0x7ff71881e000 0x7ff71881ffff Private Memory Readable, Writable True False False
runtimebroker.exe 0x7ff719590000 0x7ff7195a5fff Memory Mapped File Readable, Writable, Executable False False False
ntoskrnl.exe 0x7ff7a62c0000 0x7ff7a6b11fff Memory Mapped File Readable, Writable, Executable False False False
windows.storage.search.dll 0x7ffb25f30000 0x7ffb25ffafff Memory Mapped File Readable, Writable, Executable False False False
structuredquery.dll 0x7ffb26000000 0x7ffb260b6fff Memory Mapped File Readable, Writable, Executable False False False
windows.internal.shell.broker.dll 0x7ffb29c70000 0x7ffb29d01fff Memory Mapped File Readable, Writable, Executable False False False
wwapi.dll 0x7ffb2afc0000 0x7ffb2afd5fff Memory Mapped File Readable, Writable, Executable False False False
windows.networking.connectivity.dll 0x7ffb2afe0000 0x7ffb2b08bfff Memory Mapped File Readable, Writable, Executable False False False
tokenbroker.dll 0x7ffb2cfd0000 0x7ffb2d095fff Memory Mapped File Readable, Writable, Executable False False False
execmodelclient.dll 0x7ffb2d630000 0x7ffb2d672fff Memory Mapped File Readable, Writable, Executable False False False
edputil.dll 0x7ffb2dc70000 0x7ffb2dc9efff Memory Mapped File Readable, Writable, Executable False False False
actxprxy.dll 0x7ffb2dd30000 0x7ffb2e199fff Memory Mapped File Readable, Writable, Executable False False False
npmproxy.dll 0x7ffb2e8e0000 0x7ffb2e8edfff Memory Mapped File Readable, Writable, Executable False False False
wlanapi.dll 0x7ffb2e9e0000 0x7ffb2ea3efff Memory Mapped File Readable, Writable, Executable False False False
netprofm.dll 0x7ffb2fa50000 0x7ffb2fa8efff Memory Mapped File Readable, Writable, Executable False False False
idstore.dll 0x7ffb30d10000 0x7ffb30d36fff Memory Mapped File Readable, Writable, Executable False False False
windows.networking.hostname.dll 0x7ffb30dd0000 0x7ffb30e07fff Memory Mapped File Readable, Writable, Executable False False False
windows.ui.immersive.dll 0x7ffb318e0000 0x7ffb31a96fff Memory Mapped File Readable, Writable, Executable False False False
iertutil.dll 0x7ffb31aa0000 0x7ffb31e15fff Memory Mapped File Readable, Writable, Executable False False False
mrmcorer.dll 0x7ffb32ec0000 0x7ffb32fcefff Memory Mapped File Readable, Writable, Executable False False False
msvcp110_win.dll 0x7ffb350b0000 0x7ffb35141fff Memory Mapped File Readable, Writable, Executable False False False
policymanager.dll 0x7ffb35150000 0x7ffb35188fff Memory Mapped File Readable, Writable, Executable False False False
xmllite.dll 0x7ffb352c0000 0x7ffb352f5fff Memory Mapped File Readable, Writable, Executable False False False
wintypes.dll 0x7ffb36330000 0x7ffb36460fff Memory Mapped File Readable, Writable, Executable False False False
samlib.dll 0x7ffb36530000 0x7ffb3654bfff Memory Mapped File Readable, Writable, Executable False False False
samcli.dll 0x7ffb366c0000 0x7ffb366d7fff Memory Mapped File Readable, Writable, Executable False False False
propsys.dll 0x7ffb36950000 0x7ffb36ad2fff Memory Mapped File Readable, Writable, Executable False False False
mmdevapi.dll 0x7ffb36ae0000 0x7ffb36b51fff Memory Mapped File Readable, Writable, Executable False False False
wkscli.dll 0x7ffb36c00000 0x7ffb36c15fff Memory Mapped File Readable, Writable, Executable False False False
winnsi.dll 0x7ffb373f0000 0x7ffb373fafff Memory Mapped File Readable, Writable, Executable False False False
iphlpapi.dll 0x7ffb37410000 0x7ffb37447fff Memory Mapped File Readable, Writable, Executable False False False
wtsapi32.dll 0x7ffb37a60000 0x7ffb37a72fff Memory Mapped File Readable, Writable, Executable False False False
sppc.dll 0x7ffb37af0000 0x7ffb37b14fff Memory Mapped File Readable, Writable, Executable False False False
slc.dll 0x7ffb37b20000 0x7ffb37b45fff Memory Mapped File Readable, Writable, Executable False False False
coremessaging.dll 0x7ffb380d0000 0x7ffb38197fff Memory Mapped File Readable, Writable, Executable False False False
uxtheme.dll 0x7ffb38610000 0x7ffb386a5fff Memory Mapped File Readable, Writable, Executable False False False
devobj.dll 0x7ffb386b0000 0x7ffb386d6fff Memory Mapped File Readable, Writable, Executable False False False
twinapi.appcore.dll 0x7ffb387f0000 0x7ffb388ddfff Memory Mapped File Readable, Writable, Executable False False False
netutils.dll 0x7ffb38f90000 0x7ffb38f9bfff Memory Mapped File Readable, Writable, Executable False False False
rsaenh.dll 0x7ffb39260000 0x7ffb39292fff Memory Mapped File Readable, Writable, Executable False False False
userenv.dll 0x7ffb39350000 0x7ffb3936efff Memory Mapped File Readable, Writable, Executable False False False
cryptsp.dll 0x7ffb39610000 0x7ffb39626fff Memory Mapped File Readable, Writable, Executable False False False
cryptbase.dll 0x7ffb39780000 0x7ffb3978afff Memory Mapped File Readable, Writable, Executable False False False
sspicli.dll 0x7ffb39960000 0x7ffb3998bfff Memory Mapped File Readable, Writable, Executable False False False
bcrypt.dll 0x7ffb39b60000 0x7ffb39b87fff Memory Mapped File Readable, Writable, Executable False False False
bcryptprimitives.dll 0x7ffb39b90000 0x7ffb39bfafff Memory Mapped File Readable, Writable, Executable False False False
sxs.dll 0x7ffb39c00000 0x7ffb39c97fff Memory Mapped File Readable, Writable, Executable False False False
msasn1.dll 0x7ffb39d40000 0x7ffb39d50fff Memory Mapped File Readable, Writable, Executable False False False
kernel.appcore.dll 0x7ffb39d60000 0x7ffb39d6efff Memory Mapped File Readable, Writable, Executable False False False
profapi.dll 0x7ffb39d70000 0x7ffb39d82fff Memory Mapped File Readable, Writable, Executable False False False
powrprof.dll 0x7ffb39d90000 0x7ffb39dd9fff Memory Mapped File Readable, Writable, Executable False False False
windows.storage.dll 0x7ffb39de0000 0x7ffb3a407fff Memory Mapped File Readable, Writable, Executable False False False
cfgmgr32.dll 0x7ffb3a410000 0x7ffb3a453fff Memory Mapped File Readable, Writable, Executable False False False
shcore.dll 0x7ffb3a570000 0x7ffb3a622fff Memory Mapped File Readable, Writable, Executable False False False
crypt32.dll 0x7ffb3a630000 0x7ffb3a7f0fff Memory Mapped File Readable, Writable, Executable False False False
kernelbase.dll 0x7ffb3a800000 0x7ffb3a9dcfff Memory Mapped File Readable, Writable, Executable False False False
nsi.dll 0x7ffb3a9e0000 0x7ffb3a9e7fff Memory Mapped File Readable, Writable, Executable False False False
shlwapi.dll 0x7ffb3a9f0000 0x7ffb3aa40fff Memory Mapped File Readable, Writable, Executable False False False
shell32.dll 0x7ffb3aa50000 0x7ffb3bf74fff Memory Mapped File Readable, Writable, Executable False False False
rpcrt4.dll 0x7ffb3bf80000 0x7ffb3c0a5fff Memory Mapped File Readable, Writable, Executable False False False
imm32.dll 0x7ffb3c290000 0x7ffb3c2c5fff Memory Mapped File Readable, Writable, Executable False False False
advapi32.dll 0x7ffb3c2d0000 0x7ffb3c375fff Memory Mapped File Readable, Writable, Executable False False False
gdi32.dll 0x7ffb3c3e0000 0x7ffb3c564fff Memory Mapped File Readable, Writable, Executable False False False
user32.dll 0x7ffb3c650000 0x7ffb3c79dfff Memory Mapped File Readable, Writable, Executable False False False
sechost.dll 0x7ffb3c950000 0x7ffb3c9aafff Memory Mapped File Readable, Writable, Executable False False False
oleaut32.dll 0x7ffb3c9b0000 0x7ffb3ca6dfff Memory Mapped File Readable, Writable, Executable False False False
clbcatq.dll 0x7ffb3ca70000 0x7ffb3cb14fff Memory Mapped File Readable, Writable, Executable False False False
ole32.dll 0x7ffb3cb20000 0x7ffb3cc60fff Memory Mapped File Readable, Writable, Executable False False False
combase.dll 0x7ffb3cc70000 0x7ffb3ceebfff Memory Mapped File Readable, Writable, Executable False False False
msvcrt.dll 0x7ffb3cf10000 0x7ffb3cfacfff Memory Mapped File Readable, Writable, Executable False False False
psapi.dll 0x7ffb3cfb0000 0x7ffb3cfb7fff Memory Mapped File Readable, Writable, Executable False False False
msctf.dll 0x7ffb3d020000 0x7ffb3d17bfff Memory Mapped File Readable, Writable, Executable False False False
kernel32.dll 0x7ffb3d260000 0x7ffb3d30cfff Memory Mapped File Readable, Writable, Executable False False False
ntdll.dll 0x7ffb3d310000 0x7ffb3d4d1fff Memory Mapped File Readable, Writable, Executable False False False
Injection Information
+
Injection Type Source Process Source Os Thread ID Injection Info Success Count Logfile
Create Remote Thread #9: c:\windows\explorer.exe 0xde4 address = 0x7ffb3d319fa0 True 1
Fn
Modify Memory #9: c:\windows\explorer.exe 0xde4 address = 0x7ffb3d319fa0, size = 4 True 2
Fn
Data
Modify Memory #9: c:\windows\explorer.exe 0xde4 address = 0x942a670000, size = 598016 True 1
Fn
Modify Memory #9: c:\windows\explorer.exe 0xde4 address = 0x94282f0000, size = 792 True 1
Fn
Data
Modify Control Flow #9: c:\windows\explorer.exe 0xde4 os_tid = 0xe30, address = 0x0 True 1
Fn
Host Behavior
Registry (6)
+
Operation Key Additional Information Success Count Logfile
Create Key HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\07430283-BA24-D1EC-FC2B-8E95F08FA299 - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\07430283-BA24-D1EC-FC2B-8E95F08FA299 - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\07430283-BA24-D1EC-FC2B-8E95F08FA299 - True 1
Fn
Read Value HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\07430283-BA24-D1EC-FC2B-8E95F08FA299 value_name = Ini, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\07430283-BA24-D1EC-FC2B-8E95F08FA299 value_name = Client, type = REG_BINARY True 1
Fn
Data
Read Value HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\07430283-BA24-D1EC-FC2B-8E95F08FA299 value_name = Scr, type = REG_NONE False 1
Fn
Process (5)
+
Operation Process Additional Information Success Count Logfile
Get Info c:\windows\system32\runtimebroker.exe type = PROCESS_BASIC_INFORMATION True 5
Fn
Module (190)
+
Operation Module Additional Information Success Count Logfile
Load ntdll.dll base_address = 0x0 True 1
Fn
Load KERNEL32.dll base_address = 0x0 True 1
Fn
Load OLEAUT32.dll base_address = 0x0 True 1
Fn
Load ADVAPI32.dll base_address = 0x7ffb3c2d0000 True 1
Fn
Load SHLWAPI.dll base_address = 0x7ffb3a9f0000 True 1
Fn
Load USER32.dll base_address = 0x7ffb3c650000 True 1
Fn
Load PSAPI.DLL base_address = 0x7ffb3cfb0000 True 1
Fn
Get Handle c:\windows\system32\kernel32.dll base_address = 0x7ffb3d260000 True 6
Fn
Get Handle c:\windows\system32\ntdll.dll base_address = 0x7ffb3d310000 True 2
Fn
Get Handle c:\windows\system32\kernelbase.dll base_address = 0x7ffb3a800000 True 1
Fn
Get Handle c:\windows\system32\advapi32.dll base_address = 0x7ffb3c2d0000 True 2
Fn
Get Filename OLEAUT32.dll process_name = c:\windows\system32\runtimebroker.exe, file_name_orig = C:\Windows\System32\RuntimeBroker.exe, size = 260 True 1
Fn
Get Address - function = _snprintf, ordinal = 0, address_out = 0x942823fb90 True 1
Fn
Get Address - function = sprintf, ordinal = 0, address_out = 0x942823fb90 True 1
Fn
Get Address - function = ZwOpenProcess, ordinal = 0, address_out = 0x942823fb90 True 1
Fn
Get Address - function = ZwOpenProcessToken, ordinal = 0, address_out = 0x942823fb90 True 1
Fn
Get Address - function = ZwClose, ordinal = 0, address_out = 0x942823fb90 True 1
Fn
Get Address - function = ZwQueryInformationToken, ordinal = 0, address_out = 0x942823fb90 True 1
Fn
Get Address - function = strcpy, ordinal = 0, address_out = 0x942823fb90 True 1
Fn
Get Address - function = NtQuerySystemInformation, ordinal = 0, address_out = 0x942823fb90 True 1
Fn
Get Address - function = RtlNtStatusToDosError, ordinal = 0, address_out = 0x942823fb90 True 1
Fn
Get Address - function = ZwQueryInformationProcess, ordinal = 0, address_out = 0x942823fb90 True 1
Fn
Get Address - function = memcpy, ordinal = 0, address_out = 0x942823fb90 True 1
Fn
Get Address - function = NtUnmapViewOfSection, ordinal = 0, address_out = 0x942823fb90 True 1
Fn
Get Address - function = _wcsupr, ordinal = 0, address_out = 0x942823fb90 True 1
Fn
Get Address - function = _strupr, ordinal = 0, address_out = 0x942823fb90 True 1
Fn
Get Address - function = memmove, ordinal = 0, address_out = 0x942823fb90 True 1
Fn
Get Address - function = memset, ordinal = 0, address_out = 0x942823fb90 True 1
Fn
Get Address - function = wcscpy, ordinal = 0, address_out = 0x942823fb90 True 1
Fn
Get Address - function = ZwQueryKey, ordinal = 0, address_out = 0x942823fb90 True 1
Fn
Get Address - function = RtlUpcaseUnicodeString, ordinal = 0, address_out = 0x942823fb90 True 1
Fn
Get Address - function = RtlFreeUnicodeString, ordinal = 0, address_out = 0x942823fb90 True 1
Fn
Get Address - function = wcstombs, ordinal = 0, address_out = 0x942823fb90 True 1
Fn
Get Address - function = RtlAdjustPrivilege, ordinal = 0, address_out = 0x942823fb90 True 1
Fn
Get Address - function = mbstowcs, ordinal = 0, address_out = 0x942823fb90 True 1
Fn
Get Address - function = RtlImageNtHeader, ordinal = 0, address_out = 0x942823fb90 True 1
Fn
Get Address - function = NtMapViewOfSection, ordinal = 0, address_out = 0x942823fb90 True 1
Fn
Get Address - function = NtCreateSection, ordinal = 0, address_out = 0x942823fb90 True 1
Fn
Get Address - function = __C_specific_handler, ordinal = 0, address_out = 0x942823fb90 True 1
Fn
Get Address - function = __chkstk, ordinal = 0, address_out = 0x942823fb90 True 1
Fn
Get Address - function = CreateFileMappingA, ordinal = 0, address_out = 0x942823fb90 True 1
Fn
Get Address - function = SetFilePointerEx, ordinal = 0, address_out = 0x942823fb90 True 1
Fn
Get Address - function = QueueUserWorkItem, ordinal = 0, address_out = 0x942823fb90 True 1
Fn
Get Address - function = VirtualProtectEx, ordinal = 0, address_out = 0x942823fb90 True 1
Fn
Get Address - function = GetComputerNameW, ordinal = 0, address_out = 0x942823fb90 True 1
Fn
Get Address - function = ExpandEnvironmentStringsA, ordinal = 0, address_out = 0x942823fb90 True 1
Fn
Get Address - function = FindNextFileA, ordinal = 0, address_out = 0x942823fb90 True 1
Fn
Get Address - function = CompareFileTime, ordinal = 0, address_out = 0x942823fb90 True 1
Fn
Get Address - function = FindFirstFileA, ordinal = 0, address_out = 0x942823fb90 True 1
Fn
Get Address - function = GetFileTime, ordinal = 0, address_out = 0x942823fb90 True 1
Fn
Get Address - function = GetCurrentProcessId, ordinal = 0, address_out = 0x942823fb90 True 1
Fn
Get Address - function = QueryPerformanceCounter, ordinal = 0, address_out = 0x942823fb90 True 1
Fn
Get Address - function = GetModuleFileNameA, ordinal = 0, address_out = 0x942823fb90 True 1
Fn
Get Address - function = CreateDirectoryA, ordinal = 0, address_out = 0x942823fb90 True 1
Fn
Get Address - function = GetLastError, ordinal = 0, address_out = 0x942823fb90 True 1
Fn
Get Address - function = HeapFree, ordinal = 0, address_out = 0x942823fb90 True 1
Fn
Get Address - function = RemoveDirectoryA, ordinal = 0, address_out = 0x942823fb90 True 1
Fn
Get Address - function = CloseHandle, ordinal = 0, address_out = 0x942823fb90 True 1
Fn
Get Address - function = LoadLibraryA, ordinal = 0, address_out = 0x942823fb90 True 1
Fn
Get Address - function = CreateFileA, ordinal = 0, address_out = 0x942823fb90 True 1
Fn
Get Address - function = DeleteFileA, ordinal = 0, address_out = 0x942823fb90 True 1
Fn
Get Address - function = lstrcpyA, ordinal = 0, address_out = 0x942823fb90 True 1
Fn
Get Address - function = lstrlenA, ordinal = 0, address_out = 0x942823fb90 True 1
Fn
Get Address - function = lstrcatA, ordinal = 0, address_out = 0x942823fb90 True 1
Fn
Get Address - function = WriteFile, ordinal = 0, address_out = 0x942823fb90 True 1
Fn
Get Address - function = HeapAlloc, ordinal = 0, address_out = 0x942823fb90 True 1
Fn
Get Address - function = HeapDestroy, ordinal = 0, address_out = 0x942823fb90 True 1
Fn
Get Address - function = HeapCreate, ordinal = 0, address_out = 0x942823fb90 True 1
Fn
Get Address - function = SetEvent, ordinal = 0, address_out = 0x942823fb90 True 1
Fn
Get Address - function = HeapReAlloc, ordinal = 0, address_out = 0x942823fb90 True 1
Fn
Get Address - function = GetSystemTimeAsFileTime, ordinal = 0, address_out = 0x942823fb90 True 1
Fn
Get Address - function = WaitForSingleObject, ordinal = 0, address_out = 0x942823fb90 True 1
Fn
Get Address - function = SuspendThread, ordinal = 0, address_out = 0x942823fb90 True 1
Fn
Get Address - function = OpenProcess, ordinal = 0, address_out = 0x942823fb90 True 1
Fn
Get Address - function = ResumeThread, ordinal = 0, address_out = 0x942823fb90 True 1
Fn
Get Address - function = lstrcpyW, ordinal = 0, address_out = 0x942823fb90 True 1
Fn
Get Address - function = lstrcmpiW, ordinal = 0, address_out = 0x942823fb90 True 1
Fn
Get Address - function = GetModuleHandleA, ordinal = 0, address_out = 0x942823fb90 True 1
Fn
Get Address - function = CreateThread, ordinal = 0, address_out = 0x942823fb90 True 1
Fn
Get Address - function = CreateFileW, ordinal = 0, address_out = 0x942823fb90 True 1
Fn
Get Address - function = SwitchToThread, ordinal = 0, address_out = 0x942823fb90 True 1
Fn
Get Address - function = lstrcatW, ordinal = 0, address_out = 0x942823fb90 True 1
Fn
Get Address - function = Sleep, ordinal = 0, address_out = 0x942823fb90 True 1
Fn
Get Address - function = GetTickCount, ordinal = 0, address_out = 0x942823fb90 True 1
Fn
Get Address - function = SetWaitableTimer, ordinal = 0, address_out = 0x942823fb90 True 1
Fn
Get Address - function = CopyFileW, ordinal = 0, address_out = 0x942823fb90 True 1
Fn
Get Address - function = GetCurrentThreadId, ordinal = 0, address_out = 0x942823fb90 True 1
Fn
Get Address - function = GetCurrentThread, ordinal = 0, address_out = 0x942823fb90 True 1
Fn
Get Address - function = DuplicateHandle, ordinal = 0, address_out = 0x942823fb90 True 1
Fn
Get Address - function = lstrlenW, ordinal = 0, address_out = 0x942823fb90 True 1
Fn
Get Address - function = CreateEventA, ordinal = 0, address_out = 0x942823fb90 True 1
Fn
Get Address - function = GetWindowsDirectoryA, ordinal = 0, address_out = 0x942823fb90 True 1
Fn
Get Address - function = DeleteFileW, ordinal = 0, address_out = 0x942823fb90 True 1
Fn
Get Address - function = CreateDirectoryW, ordinal = 0, address_out = 0x942823fb90 True 1
Fn
Get Address - function = GetTempPathA, ordinal = 0, address_out = 0x942823fb90 True 1
Fn
Get Address - function = lstrcmpiA, ordinal = 0, address_out = 0x942823fb90 True 1
Fn
Get Address - function = WaitForMultipleObjects, ordinal = 0, address_out = 0x942823fb90 True 1
Fn
Get Address - function = lstrcmpA, ordinal = 0, address_out = 0x942823fb90 True 1
Fn
Get Address - function = ResetEvent, ordinal = 0, address_out = 0x942823fb90 True 1
Fn
Get Address - function = CreateMutexA, ordinal = 0, address_out = 0x942823fb90 True 1
Fn
Get Address - function = OpenWaitableTimerA, ordinal = 0, address_out = 0x942823fb90 True 1
Fn
Get Address - function = MapViewOfFile, ordinal = 0, address_out = 0x942823fb90 True 1
Fn
Get Address - function = OpenMutexA, ordinal = 0, address_out = 0x942823fb90 True 1
Fn
Get Address - function = UnmapViewOfFile, ordinal = 0, address_out = 0x942823fb90 True 1
Fn
Get Address - function = ReleaseMutex, ordinal = 0, address_out = 0x942823fb90 True 1
Fn
Get Address - function = GetVersionExA, ordinal = 0, address_out = 0x942823fb90 True 1
Fn
Get Address - function = CreateWaitableTimerA, ordinal = 0, address_out = 0x942823fb90 True 1
Fn
Get Address - function = SetLastError, ordinal = 0, address_out = 0x942823fb90 True 1
Fn
Get Address - function = InitializeCriticalSection, ordinal = 0, address_out = 0x942823fb90 True 1
Fn
Get Address - function = EnterCriticalSection, ordinal = 0, address_out = 0x942823fb90 True 1
Fn
Get Address - function = LeaveCriticalSection, ordinal = 0, address_out = 0x942823fb90 True 1
Fn
Get Address - function = VirtualAlloc, ordinal = 0, address_out = 0x942823fb90 True 1
Fn
Get Address - function = UnregisterWait, ordinal = 0, address_out = 0x942823fb90 True 1
Fn
Get Address - function = VirtualProtect, ordinal = 0, address_out = 0x942823fb90 True 1
Fn
Get Address - function = RegisterWaitForSingleObject, ordinal = 0, address_out = 0x942823fb90 True 1
Fn
Get Address - function = TlsAlloc, ordinal = 0, address_out = 0x942823fb90 True 1
Fn
Get Address - function = TlsGetValue, ordinal = 0, address_out = 0x942823fb90 True 1
Fn
Get Address - function = LoadLibraryExW, ordinal = 0, address_out = 0x942823fb90 True 1
Fn
Get Address - function = TlsSetValue, ordinal = 0, address_out = 0x942823fb90 True 1
Fn
Get Address - function = GetProcAddress, ordinal = 0, address_out = 0x942823fb90 True 1
Fn
Get Address - function = GetDriveTypeW, ordinal = 0, address_out = 0x942823fb90 True 1
Fn
Get Address - function = WideCharToMultiByte, ordinal = 0, address_out = 0x942823fb90 True 1
Fn
Get Address - function = GetLogicalDriveStringsW, ordinal = 0, address_out = 0x942823fb90 True 1
Fn
Get Address - function = OpenFileMappingA, ordinal = 0, address_out = 0x942823fb90 True 1
Fn
Get Address - function = GetExitCodeProcess, ordinal = 0, address_out = 0x942823fb90 True 1
Fn
Get Address - function = LocalFree, ordinal = 0, address_out = 0x942823fb90 True 1
Fn
Get Address - function = CreateProcessA, ordinal = 0, address_out = 0x942823fb90 True 1
Fn
Get Address - function = GetFileSize, ordinal = 0, address_out = 0x942823fb90 True 1
Fn
Get Address - function = lstrcpynA, ordinal = 0, address_out = 0x942823fb90 True 1
Fn
Get Address - function = Thread32First, ordinal = 0, address_out = 0x942823fb90 True 1
Fn
Get Address - function = CreateToolhelp32Snapshot, ordinal = 0, address_out = 0x942823fb90 True 1
Fn
Get Address - function = QueueUserAPC, ordinal = 0, address_out = 0x942823fb90 True 1
Fn
Get Address - function = OpenThread, ordinal = 0, address_out = 0x942823fb90 True 1
Fn
Get Address - function = Thread32Next, ordinal = 0, address_out = 0x942823fb90 True 1
Fn
Get Address - function = ConnectNamedPipe, ordinal = 0, address_out = 0x942823fb90 True 1
Fn
Get Address - function = GetOverlappedResult, ordinal = 0, address_out = 0x942823fb90 True 1
Fn
Get Address - function = CancelIo, ordinal = 0, address_out = 0x942823fb90 True 1
Fn
Get Address - function = DisconnectNamedPipe, ordinal = 0, address_out = 0x942823fb90 True 1
Fn
Get Address - function = FlushFileBuffers, ordinal = 0, address_out = 0x942823fb90 True 1
Fn
Get Address - function = CallNamedPipeA, ordinal = 0, address_out = 0x942823fb90 True 1
Fn
Get Address - function = CreateNamedPipeA, ordinal = 0, address_out = 0x942823fb90 True 1
Fn
Get Address - function = GetSystemTime, ordinal = 0, address_out = 0x942823fb90 True 1
Fn
Get Address - function = WaitNamedPipeA, ordinal = 0, address_out = 0x942823fb90 True 1
Fn
Get Address - function = ReadFile, ordinal = 0, address_out = 0x942823fb90 True 1
Fn
Get Address - function = SleepEx, ordinal = 0, address_out = 0x942823fb90 True 1
Fn
Get Address - function = AddVectoredExceptionHandler, ordinal = 0, address_out = 0x942823fb90 True 1
Fn
Get Address - function = RemoveVectoredExceptionHandler, ordinal = 0, address_out = 0x942823fb90 True 1
Fn
Get Address - function = OpenEventA, ordinal = 0, address_out = 0x942823fb90 True 1
Fn
Get Address - function = LocalAlloc, ordinal = 0, address_out = 0x942823fb90 True 1
Fn
Get Address - function = FreeLibrary, ordinal = 0, address_out = 0x942823fb90 True 1
Fn
Get Address - function = RaiseException, ordinal = 0, address_out = 0x942823fb90 True 1
Fn
Get Address - function = VirtualFree, ordinal = 0, address_out = 0x942823fb90 True 1
Fn
Get Address - function = GetModuleFileNameW, ordinal = 0, address_out = 0x942823fb90 True 1
Fn
Get Address - function = GetVersion, ordinal = 0, address_out = 0x942823fb90 True 1
Fn
Get Address - function = GetLocalTime, ordinal = 0, address_out = 0x942823fb90 True 1
Fn
Get Address - function = QueryPerformanceFrequency, ordinal = 0, address_out = 0x942823fb90 True 1
Fn
Get Address - function = DeleteCriticalSection, ordinal = 0, address_out = 0x942823fb90 True 1
Fn
Get Address - function = GetTempFileNameA, ordinal = 0, address_out = 0x942823fb90 True 1
Fn
Get Address - function = FindNextFileW, ordinal = 0, address_out = 0x942823fb90 True 1
Fn
Get Address - function = SetEndOfFile, ordinal = 0, address_out = 0x942823fb90 True 1
Fn
Get Address - function = SetFilePointer, ordinal = 0, address_out = 0x942823fb90 True 1
Fn
Get Address - function = FindFirstFileW, ordinal = 0, address_out = 0x942823fb90 True 1
Fn
Get Address - function = RemoveDirectoryW, ordinal = 0, address_out = 0x942823fb90 True 1
Fn
Get Address - function = GetFileAttributesW, ordinal = 0, address_out = 0x942823fb90 True 1
Fn
Get Address - function = ExpandEnvironmentStringsW, ordinal = 0, address_out = 0x942823fb90 True 1
Fn
Get Address - function = FindClose, ordinal = 0, address_out = 0x942823fb90 True 1
Fn
Get Address - function = 0, ordinal = 9, address_out = 0x942823fb90 True 1
Fn
Get Address - function = 0, ordinal = 6, address_out = 0x942823fb90 True 1
Fn
Get Address - function = 0, ordinal = 2, address_out = 0x942823fb90 True 1
Fn
Get Address - function = 0, ordinal = 8, address_out = 0x942823fb90 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = IsWow64Process, address_out = 0x7ffb3d27e960 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = ConvertStringSecurityDescriptorToSecurityDescriptorA, address_out = 0x7ffb3c2ed610 True 1
Fn
Get Address c:\windows\system32\shlwapi.dll function = StrRChrA, address_out = 0x7ffb3aa04dd0 True 1
Fn
Get Address c:\windows\system32\user32.dll function = wsprintfA, address_out = 0x7ffb3c672610 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = GetUserNameA, address_out = 0x7ffb3c2fec40 True 1
Fn
Get Address c:\windows\system32\psapi.dll function = EnumProcessModules, address_out = 0x7ffb3cfb1040 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegOpenKeyA, address_out = 0x7ffb3c2eb9e0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegQueryValueExA, address_out = 0x7ffb3c2e7dd0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegCloseKey, address_out = 0x7ffb3c2e72e0 True 1
Fn
Get Address c:\windows\system32\shlwapi.dll function = StrToIntExA, address_out = 0x7ffb3aa04e70 True 1
Fn
Get Address c:\windows\system32\shlwapi.dll function = StrChrA, address_out = 0x7ffb3aa04cc0 True 1
Fn
Get Address c:\windows\system32\shlwapi.dll function = StrTrimA, address_out = 0x7ffb3aa04e80 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegCreateKeyA, address_out = 0x7ffb3c316dc0 True 1
Fn
System (5)
+
Operation Additional Information Success Count Logfile
Sleep duration = -1 (infinite) False 1
Fn
Get Time type = System Time, time = 2017-12-11 16:43:39 (UTC) True 2
Fn
Get Info type = Operating System True 2
Fn
Mutex (1)
+
Operation Additional Information Success Count Logfile
Create mutex_name = {B3575357-76B9-5D62-1897-0AE1CCBBDEA5} True 1
Fn
Process #11: cmd.exe
(Host: 61, Network: 0)
+
Information Value
ID #11
File Name c:\windows\system32\cmd.exe
Command Line cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\CIIHMN~1\AppData\Local\Temp\A7BD.bi1"
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:01:18, Reason: Child Process
Unmonitor End Time: 00:02:20, Reason: Terminated by Timeout
Monitor Duration 00:01:02
OS Process Information
+
Information Value
PID 0xef0
Parent PID 0x728 (c:\windows\explorer.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username LHNIWSJ\CIiHmnxMn6Ps
Groups
  • LHNIWSJ\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Local account and member of Administrators group (USE_FOR_DENY_ONLY)
  • BUILTIN\Administrators (USE_FOR_DENY_ONLY)
  • BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Local account (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Logon Session 00000000:00013d92 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID)
  • LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x EC0
0x F74
Region
+
Name Start VA End VA Type Permissions Monitored Dump YARA Match Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False
private_0x0000002e45920000 0x2e45920000 0x2e4593ffff Private Memory Readable, Writable True False False
pagefile_0x0000002e45920000 0x2e45920000 0x2e4592ffff Pagefile Backed Memory Readable, Writable True False False
private_0x0000002e45930000 0x2e45930000 0x2e45936fff Private Memory Readable, Writable True False False
pagefile_0x0000002e45940000 0x2e45940000 0x2e45953fff Pagefile Backed Memory Readable True False False
private_0x0000002e45960000 0x2e45960000 0x2e45a5ffff Private Memory Readable, Writable True False False
pagefile_0x0000002e45a60000 0x2e45a60000 0x2e45a63fff Pagefile Backed Memory Readable True False False
pagefile_0x0000002e45a70000 0x2e45a70000 0x2e45a70fff Pagefile Backed Memory Readable True False False
private_0x0000002e45a80000 0x2e45a80000 0x2e45a81fff Private Memory Readable, Writable True False False
locale.nls 0x2e45a90000 0x2e45b4dfff Memory Mapped File Readable False False False
private_0x0000002e45b50000 0x2e45b50000 0x2e45b56fff Private Memory Readable, Writable True False False
private_0x0000002e45b90000 0x2e45b90000 0x2e45c8ffff Private Memory Readable, Writable True False False
private_0x0000002e45c90000 0x2e45c90000 0x2e45d8ffff Private Memory Readable, Writable True False False
private_0x0000002e45dd0000 0x2e45dd0000 0x2e45ddffff Private Memory Readable, Writable True False False
sortdefault.nls 0x2e45de0000 0x2e46116fff Memory Mapped File Readable False False False
pagefile_0x00007df5ffa40000 0x7df5ffa40000 0x7ff5ffa3ffff Pagefile Backed Memory - True False False
pagefile_0x00007ff699c00000 0x7ff699c00000 0x7ff699cfffff Pagefile Backed Memory Readable True False False
pagefile_0x00007ff699d00000 0x7ff699d00000 0x7ff699d22fff Pagefile Backed Memory Readable True False False
private_0x00007ff699d24000 0x7ff699d24000 0x7ff699d24fff Private Memory Readable, Writable True False False
private_0x00007ff699d2c000 0x7ff699d2c000 0x7ff699d2dfff Private Memory Readable, Writable True False False
private_0x00007ff699d2e000 0x7ff699d2e000 0x7ff699d2ffff Private Memory Readable, Writable True False False
cmd.exe 0x7ff69a200000 0x7ff69a258fff Memory Mapped File Readable, Writable, Executable True False False
kernelbase.dll 0x7ffb3a800000 0x7ffb3a9dcfff Memory Mapped File Readable, Writable, Executable False False False
msvcrt.dll 0x7ffb3cf10000 0x7ffb3cfacfff Memory Mapped File Readable, Writable, Executable False False False
kernel32.dll 0x7ffb3d260000 0x7ffb3d30cfff Memory Mapped File Readable, Writable, Executable False False False
ntdll.dll 0x7ffb3d310000 0x7ffb3d4d1fff Memory Mapped File Readable, Writable, Executable False False False
Host Behavior
File (16)
+
Operation Filename Additional Information Success Count Logfile
Create C:\Users\CIIHMN~1\AppData\Local\Temp\A7BD.bi1 desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Get Info C:\Windows\system32 type = file_attributes True 1
Fn
Get Info C:\Windows\System32 type = file_attributes True 1
Fn
Get Info STD_OUTPUT_HANDLE type = file_type True 1
Fn
Open STD_OUTPUT_HANDLE - True 9
Fn
Open STD_INPUT_HANDLE - True 3
Fn
Registry (17)
+
Operation Key Additional Information Success Count Logfile
Open Key HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Command Processor - True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DisableUNCCheck, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = AutoRun, data = 64, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DisableUNCCheck, data = 64, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = AutoRun, data = 9, type = REG_NONE False 1
Fn
Process (1)
+
Operation Process Additional Information Success Count Logfile
Create C:\Windows\system32\nslookup.exe os_pid = 0xf7c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL True 1
Fn
Module (8)
+
Operation Module Additional Information Success Count Logfile
Get Handle c:\windows\system32\cmd.exe base_address = 0x7ff69a200000 True 1
Fn
Get Handle c:\windows\system32\kernel32.dll base_address = 0x7ffb3d260000 True 2
Fn
Get Filename - process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetThreadUILanguage, address_out = 0x7ffb3d27d550 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CopyFileExW, address_out = 0x7ffb3d2825e0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = IsDebuggerPresent, address_out = 0x7ffb3d281f90 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetConsoleInputExeNameW, address_out = 0x7ffb3a853a10 True 1
Fn
Environment (19)
+
Operation Additional Information Success Count Logfile
Get Environment String - True 7
Fn
Data
Get Environment String name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ True 2
Fn
Get Environment String name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC True 2
Fn
Get Environment String name = PROMPT False 1
Fn
Get Environment String name = COMSPEC, result_out = C:\Windows\system32\cmd.exe True 1
Fn
Get Environment String name = KEYS False 1
Fn
Set Environment String name = PROMPT, value = $P$G True 1
Fn
Set Environment String name = =C:, value = C:\Windows\System32 True 1
Fn
Set Environment String name = COPYCMD True 1
Fn
Set Environment String name = =ExitCode, value = 00000000 True 1
Fn
Set Environment String name = =ExitCodeAscii True 1
Fn
Process #13: nslookup.exe
(Host: 9, Network: 19)
+
Information Value
ID #13
File Name c:\windows\system32\nslookup.exe
Command Line nslookup myip.opendns.com resolver1.opendns.com
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:01:20, Reason: Child Process
Unmonitor End Time: 00:02:20, Reason: Terminated by Timeout
Monitor Duration 00:01:00
OS Process Information
+
Information Value
PID 0xf7c
Parent PID 0xef0 (c:\windows\system32\cmd.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username LHNIWSJ\CIiHmnxMn6Ps
Groups
  • LHNIWSJ\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Local account and member of Administrators group (USE_FOR_DENY_ONLY)
  • BUILTIN\Administrators (USE_FOR_DENY_ONLY)
  • BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Local account (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Logon Session 00000000:00013d92 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID)
  • LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x EA0
0x EAC
Region
+
Name Start VA End VA Type Permissions Monitored Dump YARA Match Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False
private_0x0000004d203d0000 0x4d203d0000 0x4d203effff Private Memory Readable, Writable True False False
pagefile_0x0000004d203d0000 0x4d203d0000 0x4d203dffff Pagefile Backed Memory Readable, Writable True False False
private_0x0000004d203e0000 0x4d203e0000 0x4d203e6fff Private Memory Readable, Writable True False False
pagefile_0x0000004d203f0000 0x4d203f0000 0x4d20403fff Pagefile Backed Memory Readable True False False
private_0x0000004d20410000 0x4d20410000 0x4d2048ffff Private Memory Readable, Writable True False False
pagefile_0x0000004d20490000 0x4d20490000 0x4d20493fff Pagefile Backed Memory Readable True False False
pagefile_0x0000004d204a0000 0x4d204a0000 0x4d204a0fff Pagefile Backed Memory Readable True False False
private_0x0000004d204b0000 0x4d204b0000 0x4d204b1fff Private Memory Readable, Writable True False False
private_0x0000004d204c0000 0x4d204c0000 0x4d204c6fff Private Memory Readable, Writable True False False
nslookup.exe.mui 0x4d204d0000 0x4d204d4fff Memory Mapped File Readable False False False
private_0x0000004d204e0000 0x4d204e0000 0x4d205dffff Private Memory Readable, Writable True False False
locale.nls 0x4d205e0000 0x4d2069dfff Memory Mapped File Readable False False False
private_0x0000004d206a0000 0x4d206a0000 0x4d2071ffff Private Memory Readable, Writable True False False
imm32.dll 0x4d20720000 0x4d20753fff Memory Mapped File Readable False False False
private_0x0000004d20720000 0x4d20720000 0x4d20720fff Private Memory Readable, Writable True False False
private_0x0000004d20730000 0x4d20730000 0x4d20730fff Private Memory Readable, Writable True False False
private_0x0000004d20800000 0x4d20800000 0x4d2080ffff Private Memory Readable, Writable True False False
pagefile_0x0000004d20810000 0x4d20810000 0x4d20997fff Pagefile Backed Memory Readable True False False
pagefile_0x0000004d209a0000 0x4d209a0000 0x4d20b20fff Pagefile Backed Memory Readable True False False
pagefile_0x0000004d20b30000 0x4d20b30000 0x4d21f2ffff Pagefile Backed Memory Readable True False False
pagefile_0x00007df5ff780000 0x7df5ff780000 0x7ff5ff77ffff Pagefile Backed Memory - True False False
pagefile_0x00007ff624a40000 0x7ff624a40000 0x7ff624b3ffff Pagefile Backed Memory Readable True False False
pagefile_0x00007ff624b40000 0x7ff624b40000 0x7ff624b62fff Pagefile Backed Memory Readable True False False
private_0x00007ff624b6a000 0x7ff624b6a000 0x7ff624b6bfff Private Memory Readable, Writable True False False
private_0x00007ff624b6c000 0x7ff624b6c000 0x7ff624b6dfff Private Memory Readable, Writable True False False
private_0x00007ff624b6e000 0x7ff624b6e000 0x7ff624b6efff Private Memory Readable, Writable True False False
nslookup.exe 0x7ff625810000 0x7ff62582afff Memory Mapped File Readable, Writable, Executable True False False
napinsp.dll 0x7ffb2e450000 0x7ffb2e464fff Memory Mapped File Readable, Writable, Executable False False False
pnrpnsp.dll 0x7ffb2e470000 0x7ffb2e489fff Memory Mapped File Readable, Writable, Executable False False False
winrnr.dll 0x7ffb2e490000 0x7ffb2e49cfff Memory Mapped File Readable, Writable, Executable False False False
rasadhlp.dll 0x7ffb308c0000 0x7ffb308c9fff Memory Mapped File Readable, Writable, Executable False False False
fwpuclnt.dll 0x7ffb361e0000 0x7ffb36247fff Memory Mapped File Readable, Writable, Executable False False False
winnsi.dll 0x7ffb373f0000 0x7ffb373fafff Memory Mapped File Readable, Writable, Executable False False False
iphlpapi.dll 0x7ffb37410000 0x7ffb37447fff Memory Mapped File Readable, Writable, Executable False False False
nlaapi.dll 0x7ffb37470000 0x7ffb37487fff Memory Mapped File Readable, Writable, Executable False False False
dnsapi.dll 0x7ffb393b0000 0x7ffb39457fff Memory Mapped File Readable, Writable, Executable False False False
mswsock.dll 0x7ffb395b0000 0x7ffb3960cfff Memory Mapped File Readable, Writable, Executable False False False
bcrypt.dll 0x7ffb39b60000 0x7ffb39b87fff Memory Mapped File Readable, Writable, Executable False False False
kernelbase.dll 0x7ffb3a800000 0x7ffb3a9dcfff Memory Mapped File Readable, Writable, Executable False False False
nsi.dll 0x7ffb3a9e0000 0x7ffb3a9e7fff Memory Mapped File Readable, Writable, Executable False False False
rpcrt4.dll 0x7ffb3bf80000 0x7ffb3c0a5fff Memory Mapped File Readable, Writable, Executable False False False
imm32.dll 0x7ffb3c290000 0x7ffb3c2c5fff Memory Mapped File Readable, Writable, Executable False False False
gdi32.dll 0x7ffb3c3e0000 0x7ffb3c564fff Memory Mapped File Readable, Writable, Executable False False False
ws2_32.dll 0x7ffb3c570000 0x7ffb3c5d8fff Memory Mapped File Readable, Writable, Executable False False False
user32.dll 0x7ffb3c650000 0x7ffb3c79dfff Memory Mapped File Readable, Writable, Executable False False False
sechost.dll 0x7ffb3c950000 0x7ffb3c9aafff Memory Mapped File Readable, Writable, Executable False False False
msvcrt.dll 0x7ffb3cf10000 0x7ffb3cfacfff Memory Mapped File Readable, Writable, Executable False False False
msctf.dll 0x7ffb3d020000 0x7ffb3d17bfff Memory Mapped File Readable, Writable, Executable False False False
kernel32.dll 0x7ffb3d260000 0x7ffb3d30cfff Memory Mapped File Readable, Writable, Executable False False False
ntdll.dll 0x7ffb3d310000 0x7ffb3d4d1fff Memory Mapped File Readable, Writable, Executable False False False
Host Behavior
File (1)
+
Operation Filename Additional Information Success Count Logfile
Write STD_ERROR_HANDLE size = 27 True 1
Fn
Data
Registry (7)
+
Operation Key Additional Information Success Count Logfile
Open Key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\DNSClient - False 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters value_name = DNSLookupOrder False 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters value_name = Domain True 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters value_name = DhcpDomain False 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters value_name = SearchList False 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters value_name = DhcpSearchList False 1
Fn
Module (1)
+
Operation Module Additional Information Success Count Logfile
Get Handle c:\windows\system32\nslookup.exe base_address = 0x7ff625810000 True 1
Fn
Network Behavior
DNS (2)
+
Operation Additional Information Success Count Logfile
Get Hostname name_out = LHnIwsj True 1
Fn
Resolve Name host = resolver1.opendns.com, address_out = 208.67.222.222 True 1
Fn
UDP Sessions (3)
+
Information Value
Total Data Sent 0.11 KB (113 bytes)
Total Data Received 0.23 KB (232 bytes)
Contacted Host Count 1
Contacted Hosts 208.67.222.222:53
UDP Session #1
+
Information Value
Handle 0x178
Address Family AF_INET
Type SOCK_DGRAM
Protocol IPPROTO_IP
Local Address -
Local Port -
Data Sent 0.04 KB (45 bytes)
Data Received 0.08 KB (80 bytes)
Operations
Operation Additional Information Success Count Logfile
Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Connect remote_address = 208.67.222.222, remote_port = 53 False 1
Fn
Send flags = NO_FLAG_SET, size = 45, size_out = 45 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 65536, size_out = 80 True 1
Fn
Data
Close type = SOCK_DGRAM True 1
Fn
UDP Session #2
+
Information Value
Handle 0x178
Address Family AF_INET
Type SOCK_DGRAM
Protocol IPPROTO_IP
Local Address -
Local Port -
Data Sent 0.03 KB (34 bytes)
Data Received 0.05 KB (50 bytes)
Operations
Operation Additional Information Success Count Logfile
Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Connect remote_address = 208.67.222.222, remote_port = 53 False 1
Fn
Send flags = NO_FLAG_SET, size = 34, size_out = 34 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 65536, size_out = 50 True 1
Fn
Data
Close type = SOCK_DGRAM True 1
Fn
UDP Session #3
+
Information Value
Handle 0x178
Address Family AF_INET
Type SOCK_DGRAM
Protocol IPPROTO_IP
Local Address -
Local Port -
Data Sent 0.03 KB (34 bytes)
Data Received 0.10 KB (102 bytes)
Operations
Operation Additional Information Success Count Logfile
Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Connect remote_address = 208.67.222.222, remote_port = 53 False 1
Fn
Send flags = NO_FLAG_SET, size = 34, size_out = 34 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 65536, size_out = 102 True 1
Fn
Data
Close type = SOCK_DGRAM True 1
Fn
Process #14: cmd.exe
(Host: 60, Network: 0)
+
Information Value
ID #14
File Name c:\windows\system32\cmd.exe
Command Line cmd /C "echo -------- >> C:\Users\CIIHMN~1\AppData\Local\Temp\A7BD.bi1"
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:01:22, Reason: Child Process
Unmonitor End Time: 00:02:20, Reason: Terminated by Timeout
Monitor Duration 00:00:58
OS Process Information
+
Information Value
PID 0xd34
Parent PID 0x728 (c:\windows\explorer.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username LHNIWSJ\CIiHmnxMn6Ps
Groups
  • LHNIWSJ\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Local account and member of Administrators group (USE_FOR_DENY_ONLY)
  • BUILTIN\Administrators (USE_FOR_DENY_ONLY)
  • BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Local account (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Logon Session 00000000:00013d92 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID)
  • LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x B0
0x D2C
Region
+
Name Start VA End VA Type Permissions Monitored Dump YARA Match Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False
private_0x0000005f2eeb0000 0x5f2eeb0000 0x5f2eecffff Private Memory Readable, Writable True False False
pagefile_0x0000005f2eeb0000 0x5f2eeb0000 0x5f2eebffff Pagefile Backed Memory Readable, Writable True False False
private_0x0000005f2eec0000 0x5f2eec0000 0x5f2eec6fff Private Memory Readable, Writable True False False
pagefile_0x0000005f2eed0000 0x5f2eed0000 0x5f2eee3fff Pagefile Backed Memory Readable True False False
private_0x0000005f2eef0000 0x5f2eef0000 0x5f2efeffff Private Memory Readable, Writable True False False
pagefile_0x0000005f2eff0000 0x5f2eff0000 0x5f2eff3fff Pagefile Backed Memory Readable True False False
pagefile_0x0000005f2f000000 0x5f2f000000 0x5f2f000fff Pagefile Backed Memory Readable True False False
private_0x0000005f2f010000 0x5f2f010000 0x5f2f011fff Private Memory Readable, Writable True False False
private_0x0000005f2f020000 0x5f2f020000 0x5f2f026fff Private Memory Readable, Writable True False False
private_0x0000005f2f0d0000 0x5f2f0d0000 0x5f2f1cffff Private Memory Readable, Writable True False False
locale.nls 0x5f2f1d0000 0x5f2f28dfff Memory Mapped File Readable False False False
private_0x0000005f2f290000 0x5f2f290000 0x5f2f38ffff Private Memory Readable, Writable True False False
private_0x0000005f2f520000 0x5f2f520000 0x5f2f52ffff Private Memory Readable, Writable True False False
pagefile_0x00007df5ff5b0000 0x7df5ff5b0000 0x7ff5ff5affff Pagefile Backed Memory - True False False
pagefile_0x00007ff699b10000 0x7ff699b10000 0x7ff699c0ffff Pagefile Backed Memory Readable True False False
pagefile_0x00007ff699c10000 0x7ff699c10000 0x7ff699c32fff Pagefile Backed Memory Readable True False False
private_0x00007ff699c38000 0x7ff699c38000 0x7ff699c38fff Private Memory Readable, Writable True False False
private_0x00007ff699c3c000 0x7ff699c3c000 0x7ff699c3dfff Private Memory Readable, Writable True False False
private_0x00007ff699c3e000 0x7ff699c3e000 0x7ff699c3ffff Private Memory Readable, Writable True False False
cmd.exe 0x7ff69a200000 0x7ff69a258fff Memory Mapped File Readable, Writable, Executable True False False
kernelbase.dll 0x7ffb3a800000 0x7ffb3a9dcfff Memory Mapped File Readable, Writable, Executable False False False
msvcrt.dll 0x7ffb3cf10000 0x7ffb3cfacfff Memory Mapped File Readable, Writable, Executable False False False
kernel32.dll 0x7ffb3d260000 0x7ffb3d30cfff Memory Mapped File Readable, Writable, Executable False False False
ntdll.dll 0x7ffb3d310000 0x7ffb3d4d1fff Memory Mapped File Readable, Writable, Executable False False False
Host Behavior
File (24)
+
Operation Filename Additional Information Success Count Logfile
Create C:\Users\CIIHMN~1\AppData\Local\Temp\A7BD.bi1 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Get Info C:\Windows\system32 type = file_attributes True 1
Fn
Get Info C:\Windows\System32 type = file_attributes True 1
Fn
Get Info STD_OUTPUT_HANDLE type = file_type True 1
Fn
Get Info STD_OUTPUT_HANDLE type = file_type True 2
Fn
Get Info STD_OUTPUT_HANDLE type = size True 1
Fn
Open STD_OUTPUT_HANDLE - True 12
Fn
Open STD_INPUT_HANDLE - True 3
Fn
Read STD_OUTPUT_HANDLE size = 1, size_out = 1 True 1
Fn
Data
Write STD_OUTPUT_HANDLE size = 11 True 1
Fn
Data
Registry (17)
+
Operation Key Additional Information Success Count Logfile
Open Key HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Command Processor - True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DisableUNCCheck, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = AutoRun, data = 64, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DisableUNCCheck, data = 64, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = AutoRun, data = 9, type = REG_NONE False 1
Fn
Module (8)
+
Operation Module Additional Information Success Count Logfile
Get Handle c:\windows\system32\cmd.exe base_address = 0x7ff69a200000 True 1
Fn
Get Handle c:\windows\system32\kernel32.dll base_address = 0x7ffb3d260000 True 2
Fn
Get Filename - process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetThreadUILanguage, address_out = 0x7ffb3d27d550 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CopyFileExW, address_out = 0x7ffb3d2825e0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = IsDebuggerPresent, address_out = 0x7ffb3d281f90 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetConsoleInputExeNameW, address_out = 0x7ffb3a853a10 True 1
Fn
Environment (11)
+
Operation Additional Information Success Count Logfile
Get Environment String - True 4
Fn
Data
Get Environment String name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ True 1
Fn
Get Environment String name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC True 1
Fn
Get Environment String name = PROMPT False 1
Fn
Get Environment String name = COMSPEC, result_out = C:\Windows\system32\cmd.exe True 1
Fn
Get Environment String name = KEYS False 1
Fn
Set Environment String name = PROMPT, value = $P$G True 1
Fn
Set Environment String name = =C:, value = C:\Windows\System32 True 1
Fn
Process #16: winmail.exe
(Host: 210, Network: 0)
+
Information Value
ID #16
File Name c:\program files\windows mail\winmail.exe
Command Line "C:\Program Files\Windows Mail\WinMail" OCInstallUserConfigOE
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:01:25, Reason: Child Process
Unmonitor End Time: 00:02:20, Reason: Terminated by Timeout
Monitor Duration 00:00:55
OS Process Information
+
Information Value
PID 0xd24
Parent PID 0x728 (c:\windows\explorer.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username LHNIWSJ\CIiHmnxMn6Ps
Groups
  • LHNIWSJ\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Local account and member of Administrators group (USE_FOR_DENY_ONLY)
  • BUILTIN\Administrators (USE_FOR_DENY_ONLY)
  • BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Local account (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Logon Session 00000000:00013d92 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID)
  • LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x D1C
0x F70
0x F30
Region
+
Name Start VA End VA Type Permissions Monitored Dump YARA Match Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False
private_0x0000007eac4f0000 0x7eac4f0000 0x7eac50ffff Private Memory Readable, Writable True False False
pagefile_0x0000007eac4f0000 0x7eac4f0000 0x7eac4fffff Pagefile Backed Memory Readable, Writable True False False
private_0x0000007eac500000 0x7eac500000 0x7eac506fff Private Memory Readable, Writable True False False
pagefile_0x0000007eac510000 0x7eac510000 0x7eac523fff Pagefile Backed Memory Readable True False False
private_0x0000007eac530000 0x7eac530000 0x7eac5affff Private Memory Readable, Writable True False False
pagefile_0x0000007eac5b0000 0x7eac5b0000 0x7eac5b3fff Pagefile Backed Memory Readable True False False
pagefile_0x0000007eac5c0000 0x7eac5c0000 0x7eac5c1fff Pagefile Backed Memory Readable True False False
private_0x0000007eac5d0000 0x7eac5d0000 0x7eac5d1fff Private Memory Readable, Writable True False False
private_0x0000007eac5e0000 0x7eac5e0000 0x7eac65ffff Private Memory Readable, Writable True False False
private_0x0000007eac660000 0x7eac660000 0x7eac666fff Private Memory Readable, Writable True False False
winmail.exe.mui 0x7eac670000 0x7eac671fff Memory Mapped File Readable False False False
private_0x0000007eac680000 0x7eac680000 0x7eac680fff Private Memory Readable, Writable True False False
private_0x0000007eac690000 0x7eac690000 0x7eac78ffff Private Memory Readable, Writable True False False
locale.nls 0x7eac790000 0x7eac84dfff Memory Mapped File Readable False False False
private_0x0000007eac850000 0x7eac850000 0x7eac850fff Private Memory Readable, Writable True False False
private_0x0000007eac860000 0x7eac860000 0x7eac860fff Private Memory Readable, Writable, Executable True False False
pagefile_0x0000007eac870000 0x7eac870000 0x7eac871fff Pagefile Backed Memory Readable True False False
pagefile_0x0000007eac880000 0x7eac880000 0x7eac881fff Pagefile Backed Memory Readable True False False
pagefile_0x0000007eac890000 0x7eac890000 0x7eac921fff Pagefile Backed Memory Readable, Writable, Executable True False False
private_0x0000007eac930000 0x7eac930000 0x7eac931fff Private Memory Readable, Writable True False False
private_0x0000007eac930000 0x7eac930000 0x7eac936fff Private Memory Readable, Writable True False False
private_0x0000007eac9c0000 0x7eac9c0000 0x7eac9cffff Private Memory Readable, Writable True False False
pagefile_0x0000007eac9d0000 0x7eac9d0000 0x7eacb57fff Pagefile Backed Memory Readable True False False
pagefile_0x0000007eacb60000 0x7eacb60000 0x7eacce0fff Pagefile Backed Memory Readable True False False
pagefile_0x0000007eaccf0000 0x7eaccf0000 0x7eae0effff Pagefile Backed Memory Readable True False False
private_0x0000007eae0f0000 0x7eae0f0000 0x7eae50ffff Private Memory Readable, Writable True False False
sortdefault.nls 0x7eae510000 0x7eae846fff Memory Mapped File Readable False False False
pagefile_0x00007df5ff160000 0x7df5ff160000 0x7ff5ff15ffff Pagefile Backed Memory - True False False
pagefile_0x00007ff72a740000 0x7ff72a740000 0x7ff72a83ffff Pagefile Backed Memory Readable True False False
pagefile_0x00007ff72a840000 0x7ff72a840000 0x7ff72a862fff Pagefile Backed Memory Readable True False False
private_0x00007ff72a86b000 0x7ff72a86b000 0x7ff72a86cfff Private Memory Readable, Writable True False False
private_0x00007ff72a86d000 0x7ff72a86d000 0x7ff72a86efff Private Memory Readable, Writable True False False
private_0x00007ff72a86f000 0x7ff72a86f000 0x7ff72a86ffff Private Memory Readable, Writable True False False
winmail.exe 0x7ff72b500000 0x7ff72b569fff Memory Mapped File Readable, Writable, Executable False False False
msoert2.dll 0x7ffb25180000 0x7ffb251a7fff Memory Mapped File Readable, Writable, Executable False False False
comctl32.dll 0x7ffb34cc0000 0x7ffb34f33fff Memory Mapped File Readable, Writable, Executable False False False
sspicli.dll 0x7ffb39960000 0x7ffb3998bfff Memory Mapped File Readable, Writable, Executable False False False
kernel.appcore.dll 0x7ffb39d60000 0x7ffb39d6efff Memory Mapped File Readable, Writable, Executable False False False
profapi.dll 0x7ffb39d70000 0x7ffb39d82fff Memory Mapped File Readable, Writable, Executable False False False
powrprof.dll 0x7ffb39d90000 0x7ffb39dd9fff Memory Mapped File Readable, Writable, Executable False False False
windows.storage.dll 0x7ffb39de0000 0x7ffb3a407fff Memory Mapped File Readable, Writable, Executable False False False
shcore.dll 0x7ffb3a570000 0x7ffb3a622fff Memory Mapped File Readable, Writable, Executable False False False
kernelbase.dll 0x7ffb3a800000 0x7ffb3a9dcfff Memory Mapped File Readable, Writable, Executable False False False
shlwapi.dll 0x7ffb3a9f0000 0x7ffb3aa40fff Memory Mapped File Readable, Writable, Executable False False False
shell32.dll 0x7ffb3aa50000 0x7ffb3bf74fff Memory Mapped File Readable, Writable, Executable False False False
rpcrt4.dll 0x7ffb3bf80000 0x7ffb3c0a5fff Memory Mapped File Readable, Writable, Executable False False False
imm32.dll 0x7ffb3c290000 0x7ffb3c2c5fff Memory Mapped File Readable, Writable, Executable False False False
advapi32.dll 0x7ffb3c2d0000 0x7ffb3c375fff Memory Mapped File Readable, Writable, Executable False False False
gdi32.dll 0x7ffb3c3e0000 0x7ffb3c564fff Memory Mapped File Readable, Writable, Executable False False False
user32.dll 0x7ffb3c650000 0x7ffb3c79dfff Memory Mapped File Readable, Writable, Executable False False False
sechost.dll 0x7ffb3c950000 0x7ffb3c9aafff Memory Mapped File Readable, Writable, Executable False False False
oleaut32.dll 0x7ffb3c9b0000 0x7ffb3ca6dfff Memory Mapped File Readable, Writable, Executable False False False
ole32.dll 0x7ffb3cb20000 0x7ffb3cc60fff Memory Mapped File Readable, Writable, Executable False False False
combase.dll 0x7ffb3cc70000 0x7ffb3ceebfff Memory Mapped File Readable, Writable, Executable False False False
msvcrt.dll 0x7ffb3cf10000 0x7ffb3cfacfff Memory Mapped File Readable, Writable, Executable False False False
psapi.dll 0x7ffb3cfb0000 0x7ffb3cfb7fff Memory Mapped File Readable, Writable, Executable False False False
msctf.dll 0x7ffb3d020000 0x7ffb3d17bfff Memory Mapped File Readable, Writable, Executable False False False
kernel32.dll 0x7ffb3d260000 0x7ffb3d30cfff Memory Mapped File Readable, Writable, Executable False False False
ntdll.dll 0x7ffb3d310000 0x7ffb3d4d1fff Memory Mapped File Readable, Writable, Executable False False False
Injection Information
+
Injection Type Source Process Source Os Thread ID Injection Info Success Count Logfile
Modify Memory #9: c:\windows\explorer.exe 0xd3c address = 0x7ff72b5076c0, size = 4 True 2
Fn
Data
Modify Memory #9: c:\windows\explorer.exe 0xd3c address = 0x7eac890000, size = 598016 True 1
Fn
Modify Memory #9: c:\windows\explorer.exe 0xd3c address = 0x7eac860000, size = 792 True 1
Fn
Data
Modify Control Flow #9: c:\windows\explorer.exe 0xd3c os_tid = 0xd1c, address = 0x7ff72a86f000 True 1
Fn
Host Behavior
Registry (6)
+
Operation Key Additional Information Success Count Logfile
Create Key HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\07430283-BA24-D1EC-FC2B-8E95F08FA299 - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\07430283-BA24-D1EC-FC2B-8E95F08FA299 - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\07430283-BA24-D1EC-FC2B-8E95F08FA299 - True 1
Fn
Read Value HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\07430283-BA24-D1EC-FC2B-8E95F08FA299 value_name = Ini, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\07430283-BA24-D1EC-FC2B-8E95F08FA299 value_name = Client, type = REG_BINARY True 1
Fn
Data
Read Value HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\07430283-BA24-D1EC-FC2B-8E95F08FA299 value_name = Scr, type = REG_NONE False 1
Fn
Process (5)
+
Operation Process Additional Information Success Count Logfile
Get Info c:\program files\windows mail\winmail.exe type = PROCESS_BASIC_INFORMATION True 5
Fn
Module (190)
+
Operation Module Additional Information Success Count Logfile
Load ntdll.dll base_address = 0x0 True 1
Fn
Load KERNEL32.dll base_address = 0x0 True 1
Fn
Load OLEAUT32.dll base_address = 0x0 True 1
Fn
Load ADVAPI32.dll base_address = 0x7ffb3c2d0000 True 1
Fn
Load SHLWAPI.dll base_address = 0x7ffb3a9f0000 True 1
Fn
Load USER32.dll base_address = 0x7ffb3c650000 True 1
Fn
Load PSAPI.DLL base_address = 0x7ffb3cfb0000 True 1
Fn
Get Handle c:\windows\system32\kernel32.dll base_address = 0x7ffb3d260000 True 6
Fn
Get Handle c:\windows\system32\ntdll.dll base_address = 0x7ffb3d310000 True 2
Fn
Get Handle c:\windows\system32\kernelbase.dll base_address = 0x7ffb3a800000 True 1
Fn
Get Handle c:\windows\system32\advapi32.dll base_address = 0x7ffb3c2d0000 True 2
Fn
Get Filename OLEAUT32.dll process_name = c:\program files\windows mail\winmail.exe, file_name_orig = C:\Program Files\Windows Mail\WinMail.exe, size = 260 True 1
Fn
Get Address - function = _snprintf, ordinal = 0, address_out = 0x7eac5afcc0 True 1
Fn
Get Address - function = sprintf, ordinal = 0, address_out = 0x7eac5afcc0 True 1
Fn
Get Address - function = ZwOpenProcess, ordinal = 0, address_out = 0x7eac5afcc0 True 1
Fn
Get Address - function = ZwOpenProcessToken, ordinal = 0, address_out = 0x7eac5afcc0 True 1
Fn
Get Address - function = ZwClose, ordinal = 0, address_out = 0x7eac5afcc0 True 1
Fn
Get Address - function = ZwQueryInformationToken, ordinal = 0, address_out = 0x7eac5afcc0 True 1
Fn
Get Address - function = strcpy, ordinal = 0, address_out = 0x7eac5afcc0 True 1
Fn
Get Address - function = NtQuerySystemInformation, ordinal = 0, address_out = 0x7eac5afcc0 True 1
Fn
Get Address - function = RtlNtStatusToDosError, ordinal = 0, address_out = 0x7eac5afcc0 True 1
Fn
Get Address - function = ZwQueryInformationProcess, ordinal = 0, address_out = 0x7eac5afcc0 True 1
Fn
Get Address - function = memcpy, ordinal = 0, address_out = 0x7eac5afcc0 True 1
Fn
Get Address - function = NtUnmapViewOfSection, ordinal = 0, address_out = 0x7eac5afcc0 True 1
Fn
Get Address - function = _wcsupr, ordinal = 0, address_out = 0x7eac5afcc0 True 1
Fn
Get Address - function = _strupr, ordinal = 0, address_out = 0x7eac5afcc0 True 1
Fn
Get Address - function = memmove, ordinal = 0, address_out = 0x7eac5afcc0 True 1
Fn
Get Address - function = memset, ordinal = 0, address_out = 0x7eac5afcc0 True 1
Fn
Get Address - function = wcscpy, ordinal = 0, address_out = 0x7eac5afcc0 True 1
Fn
Get Address - function = ZwQueryKey, ordinal = 0, address_out = 0x7eac5afcc0 True 1
Fn
Get Address - function = RtlUpcaseUnicodeString, ordinal = 0, address_out = 0x7eac5afcc0 True 1
Fn
Get Address - function = RtlFreeUnicodeString, ordinal = 0, address_out = 0x7eac5afcc0 True 1
Fn
Get Address - function = wcstombs, ordinal = 0, address_out = 0x7eac5afcc0 True 1
Fn
Get Address - function = RtlAdjustPrivilege, ordinal = 0, address_out = 0x7eac5afcc0 True 1
Fn
Get Address - function = mbstowcs, ordinal = 0, address_out = 0x7eac5afcc0 True 1
Fn
Get Address - function = RtlImageNtHeader, ordinal = 0, address_out = 0x7eac5afcc0 True 1
Fn
Get Address - function = NtMapViewOfSection, ordinal = 0, address_out = 0x7eac5afcc0 True 1
Fn
Get Address - function = NtCreateSection, ordinal = 0, address_out = 0x7eac5afcc0 True 1
Fn
Get Address - function = __C_specific_handler, ordinal = 0, address_out = 0x7eac5afcc0 True 1
Fn
Get Address - function = __chkstk, ordinal = 0, address_out = 0x7eac5afcc0 True 1
Fn
Get Address - function = CreateFileMappingA, ordinal = 0, address_out = 0x7eac5afcc0 True 1
Fn
Get Address - function = SetFilePointerEx, ordinal = 0, address_out = 0x7eac5afcc0 True 1
Fn
Get Address - function = QueueUserWorkItem, ordinal = 0, address_out = 0x7eac5afcc0 True 1
Fn
Get Address - function = VirtualProtectEx, ordinal = 0, address_out = 0x7eac5afcc0 True 1
Fn
Get Address - function = GetComputerNameW, ordinal = 0, address_out = 0x7eac5afcc0 True 1
Fn
Get Address - function = ExpandEnvironmentStringsA, ordinal = 0, address_out = 0x7eac5afcc0 True 1
Fn
Get Address - function = FindNextFileA, ordinal = 0, address_out = 0x7eac5afcc0 True 1
Fn
Get Address - function = CompareFileTime, ordinal = 0, address_out = 0x7eac5afcc0 True 1
Fn
Get Address - function = FindFirstFileA, ordinal = 0, address_out = 0x7eac5afcc0 True 1
Fn
Get Address - function = GetFileTime, ordinal = 0, address_out = 0x7eac5afcc0 True 1
Fn
Get Address - function = GetCurrentProcessId, ordinal = 0, address_out = 0x7eac5afcc0 True 1
Fn
Get Address - function = QueryPerformanceCounter, ordinal = 0, address_out = 0x7eac5afcc0 True 1
Fn
Get Address - function = GetModuleFileNameA, ordinal = 0, address_out = 0x7eac5afcc0 True 1
Fn
Get Address - function = CreateDirectoryA, ordinal = 0, address_out = 0x7eac5afcc0 True 1
Fn
Get Address - function = GetLastError, ordinal = 0, address_out = 0x7eac5afcc0 True 1
Fn
Get Address - function = HeapFree, ordinal = 0, address_out = 0x7eac5afcc0 True 1
Fn
Get Address - function = RemoveDirectoryA, ordinal = 0, address_out = 0x7eac5afcc0 True 1
Fn
Get Address - function = CloseHandle, ordinal = 0, address_out = 0x7eac5afcc0 True 1
Fn
Get Address - function = LoadLibraryA, ordinal = 0, address_out = 0x7eac5afcc0 True 1
Fn
Get Address - function = CreateFileA, ordinal = 0, address_out = 0x7eac5afcc0 True 1
Fn
Get Address - function = DeleteFileA, ordinal = 0, address_out = 0x7eac5afcc0 True 1
Fn
Get Address - function = lstrcpyA, ordinal = 0, address_out = 0x7eac5afcc0 True 1
Fn
Get Address - function = lstrlenA, ordinal = 0, address_out = 0x7eac5afcc0 True 1
Fn
Get Address - function = lstrcatA, ordinal = 0, address_out = 0x7eac5afcc0 True 1
Fn
Get Address - function = WriteFile, ordinal = 0, address_out = 0x7eac5afcc0 True 1
Fn
Get Address - function = HeapAlloc, ordinal = 0, address_out = 0x7eac5afcc0 True 1
Fn
Get Address - function = HeapDestroy, ordinal = 0, address_out = 0x7eac5afcc0 True 1
Fn
Get Address - function = HeapCreate, ordinal = 0, address_out = 0x7eac5afcc0 True 1
Fn
Get Address - function = SetEvent, ordinal = 0, address_out = 0x7eac5afcc0 True 1
Fn
Get Address - function = HeapReAlloc, ordinal = 0, address_out = 0x7eac5afcc0 True 1
Fn
Get Address - function = GetSystemTimeAsFileTime, ordinal = 0, address_out = 0x7eac5afcc0 True 1
Fn
Get Address - function = WaitForSingleObject, ordinal = 0, address_out = 0x7eac5afcc0 True 1
Fn
Get Address - function = SuspendThread, ordinal = 0, address_out = 0x7eac5afcc0 True 1
Fn
Get Address - function = OpenProcess, ordinal = 0, address_out = 0x7eac5afcc0 True 1
Fn
Get Address - function = ResumeThread, ordinal = 0, address_out = 0x7eac5afcc0 True 1
Fn
Get Address - function = lstrcpyW, ordinal = 0, address_out = 0x7eac5afcc0 True 1
Fn
Get Address - function = lstrcmpiW, ordinal = 0, address_out = 0x7eac5afcc0 True 1
Fn
Get Address - function = GetModuleHandleA, ordinal = 0, address_out = 0x7eac5afcc0 True 1
Fn
Get Address - function = CreateThread, ordinal = 0, address_out = 0x7eac5afcc0 True 1
Fn
Get Address - function = CreateFileW, ordinal = 0, address_out = 0x7eac5afcc0 True 1
Fn
Get Address - function = SwitchToThread, ordinal = 0, address_out = 0x7eac5afcc0 True 1
Fn
Get Address - function = lstrcatW, ordinal = 0, address_out = 0x7eac5afcc0 True 1
Fn
Get Address - function = Sleep, ordinal = 0, address_out = 0x7eac5afcc0 True 1
Fn
Get Address - function = GetTickCount, ordinal = 0, address_out = 0x7eac5afcc0 True 1
Fn
Get Address - function = SetWaitableTimer, ordinal = 0, address_out = 0x7eac5afcc0 True 1
Fn
Get Address - function = CopyFileW, ordinal = 0, address_out = 0x7eac5afcc0 True 1
Fn
Get Address - function = GetCurrentThreadId, ordinal = 0, address_out = 0x7eac5afcc0 True 1
Fn
Get Address - function = GetCurrentThread, ordinal = 0, address_out = 0x7eac5afcc0 True 1
Fn
Get Address - function = DuplicateHandle, ordinal = 0, address_out = 0x7eac5afcc0 True 1
Fn
Get Address - function = lstrlenW, ordinal = 0, address_out = 0x7eac5afcc0 True 1
Fn
Get Address - function = CreateEventA, ordinal = 0, address_out = 0x7eac5afcc0 True 1
Fn
Get Address - function = GetWindowsDirectoryA, ordinal = 0, address_out = 0x7eac5afcc0 True 1
Fn
Get Address - function = DeleteFileW, ordinal = 0, address_out = 0x7eac5afcc0 True 1
Fn
Get Address - function = CreateDirectoryW, ordinal = 0, address_out = 0x7eac5afcc0 True 1
Fn
Get Address - function = GetTempPathA, ordinal = 0, address_out = 0x7eac5afcc0 True 1
Fn
Get Address - function = lstrcmpiA, ordinal = 0, address_out = 0x7eac5afcc0 True 1
Fn
Get Address - function = WaitForMultipleObjects, ordinal = 0, address_out = 0x7eac5afcc0 True 1
Fn
Get Address - function = lstrcmpA, ordinal = 0, address_out = 0x7eac5afcc0 True 1
Fn
Get Address - function = ResetEvent, ordinal = 0, address_out = 0x7eac5afcc0 True 1
Fn
Get Address - function = CreateMutexA, ordinal = 0, address_out = 0x7eac5afcc0 True 1
Fn
Get Address - function = OpenWaitableTimerA, ordinal = 0, address_out = 0x7eac5afcc0 True 1
Fn
Get Address - function = MapViewOfFile, ordinal = 0, address_out = 0x7eac5afcc0 True 1
Fn
Get Address - function = OpenMutexA, ordinal = 0, address_out = 0x7eac5afcc0 True 1
Fn
Get Address - function = UnmapViewOfFile, ordinal = 0, address_out = 0x7eac5afcc0 True 1
Fn
Get Address - function = ReleaseMutex, ordinal = 0, address_out = 0x7eac5afcc0 True 1
Fn
Get Address - function = GetVersionExA, ordinal = 0, address_out = 0x7eac5afcc0 True 1
Fn
Get Address - function = CreateWaitableTimerA, ordinal = 0, address_out = 0x7eac5afcc0 True 1
Fn
Get Address - function = SetLastError, ordinal = 0, address_out = 0x7eac5afcc0 True 1
Fn
Get Address - function = InitializeCriticalSection, ordinal = 0, address_out = 0x7eac5afcc0 True 1
Fn
Get Address - function = EnterCriticalSection, ordinal = 0, address_out = 0x7eac5afcc0 True 1
Fn
Get Address - function = LeaveCriticalSection, ordinal = 0, address_out = 0x7eac5afcc0 True 1
Fn
Get Address - function = VirtualAlloc, ordinal = 0, address_out = 0x7eac5afcc0 True 1
Fn
Get Address - function = UnregisterWait, ordinal = 0, address_out = 0x7eac5afcc0 True 1
Fn
Get Address - function = VirtualProtect, ordinal = 0, address_out = 0x7eac5afcc0 True 1
Fn
Get Address - function = RegisterWaitForSingleObject, ordinal = 0, address_out = 0x7eac5afcc0 True 1
Fn
Get Address - function = TlsAlloc, ordinal = 0, address_out = 0x7eac5afcc0 True 1
Fn
Get Address - function = TlsGetValue, ordinal = 0, address_out = 0x7eac5afcc0 True 1
Fn
Get Address - function = LoadLibraryExW, ordinal = 0, address_out = 0x7eac5afcc0 True 1
Fn
Get Address - function = TlsSetValue, ordinal = 0, address_out = 0x7eac5afcc0 True 1
Fn
Get Address - function = GetProcAddress, ordinal = 0, address_out = 0x7eac5afcc0 True 1
Fn
Get Address - function = GetDriveTypeW, ordinal = 0, address_out = 0x7eac5afcc0 True 1
Fn
Get Address - function = WideCharToMultiByte, ordinal = 0, address_out = 0x7eac5afcc0 True 1
Fn
Get Address - function = GetLogicalDriveStringsW, ordinal = 0, address_out = 0x7eac5afcc0 True 1
Fn
Get Address - function = OpenFileMappingA, ordinal = 0, address_out = 0x7eac5afcc0 True 1
Fn
Get Address - function = GetExitCodeProcess, ordinal = 0, address_out = 0x7eac5afcc0 True 1
Fn
Get Address - function = LocalFree, ordinal = 0, address_out = 0x7eac5afcc0 True 1
Fn
Get Address - function = CreateProcessA, ordinal = 0, address_out = 0x7eac5afcc0 True 1
Fn
Get Address - function = GetFileSize, ordinal = 0, address_out = 0x7eac5afcc0 True 1
Fn
Get Address - function = lstrcpynA, ordinal = 0, address_out = 0x7eac5afcc0 True 1
Fn
Get Address - function = Thread32First, ordinal = 0, address_out = 0x7eac5afcc0 True 1
Fn
Get Address - function = CreateToolhelp32Snapshot, ordinal = 0, address_out = 0x7eac5afcc0 True 1
Fn
Get Address - function = QueueUserAPC, ordinal = 0, address_out = 0x7eac5afcc0 True 1
Fn
Get Address - function = OpenThread, ordinal = 0, address_out = 0x7eac5afcc0 True 1
Fn
Get Address - function = Thread32Next, ordinal = 0, address_out = 0x7eac5afcc0 True 1
Fn
Get Address - function = ConnectNamedPipe, ordinal = 0, address_out = 0x7eac5afcc0 True 1
Fn
Get Address - function = GetOverlappedResult, ordinal = 0, address_out = 0x7eac5afcc0 True 1
Fn
Get Address - function = CancelIo, ordinal = 0, address_out = 0x7eac5afcc0 True 1
Fn
Get Address - function = DisconnectNamedPipe, ordinal = 0, address_out = 0x7eac5afcc0 True 1
Fn
Get Address - function = FlushFileBuffers, ordinal = 0, address_out = 0x7eac5afcc0 True 1
Fn
Get Address - function = CallNamedPipeA, ordinal = 0, address_out = 0x7eac5afcc0 True 1
Fn
Get Address - function = CreateNamedPipeA, ordinal = 0, address_out = 0x7eac5afcc0 True 1
Fn
Get Address - function = GetSystemTime, ordinal = 0, address_out = 0x7eac5afcc0 True 1
Fn
Get Address - function = WaitNamedPipeA, ordinal = 0, address_out = 0x7eac5afcc0 True 1
Fn
Get Address - function = ReadFile, ordinal = 0, address_out = 0x7eac5afcc0 True 1
Fn
Get Address - function = SleepEx, ordinal = 0, address_out = 0x7eac5afcc0 True 1
Fn
Get Address - function = AddVectoredExceptionHandler, ordinal = 0, address_out = 0x7eac5afcc0 True 1
Fn
Get Address - function = RemoveVectoredExceptionHandler, ordinal = 0, address_out = 0x7eac5afcc0 True 1
Fn
Get Address - function = OpenEventA, ordinal = 0, address_out = 0x7eac5afcc0 True 1
Fn
Get Address - function = LocalAlloc, ordinal = 0, address_out = 0x7eac5afcc0 True 1
Fn
Get Address - function = FreeLibrary, ordinal = 0, address_out = 0x7eac5afcc0 True 1
Fn
Get Address - function = RaiseException, ordinal = 0, address_out = 0x7eac5afcc0 True 1
Fn
Get Address - function = VirtualFree, ordinal = 0, address_out = 0x7eac5afcc0 True 1
Fn
Get Address - function = GetModuleFileNameW, ordinal = 0, address_out = 0x7eac5afcc0 True 1
Fn
Get Address - function = GetVersion, ordinal = 0, address_out = 0x7eac5afcc0 True 1
Fn
Get Address - function = GetLocalTime, ordinal = 0, address_out = 0x7eac5afcc0 True 1
Fn
Get Address - function = QueryPerformanceFrequency, ordinal = 0, address_out = 0x7eac5afcc0 True 1
Fn
Get Address - function = DeleteCriticalSection, ordinal = 0, address_out = 0x7eac5afcc0 True 1
Fn
Get Address - function = GetTempFileNameA, ordinal = 0, address_out = 0x7eac5afcc0 True 1
Fn
Get Address - function = FindNextFileW, ordinal = 0, address_out = 0x7eac5afcc0 True 1
Fn
Get Address - function = SetEndOfFile, ordinal = 0, address_out = 0x7eac5afcc0 True 1
Fn
Get Address - function = SetFilePointer, ordinal = 0, address_out = 0x7eac5afcc0 True 1
Fn
Get Address - function = FindFirstFileW, ordinal = 0, address_out = 0x7eac5afcc0 True 1
Fn
Get Address - function = RemoveDirectoryW, ordinal = 0, address_out = 0x7eac5afcc0 True 1
Fn
Get Address - function = GetFileAttributesW, ordinal = 0, address_out = 0x7eac5afcc0 True 1
Fn
Get Address - function = ExpandEnvironmentStringsW, ordinal = 0, address_out = 0x7eac5afcc0 True 1
Fn
Get Address - function = FindClose, ordinal = 0, address_out = 0x7eac5afcc0 True 1
Fn
Get Address - function = 0, ordinal = 9, address_out = 0x7eac5afcc0 True 1
Fn
Get Address - function = 0, ordinal = 6, address_out = 0x7eac5afcc0 True 1
Fn
Get Address - function = 0, ordinal = 2, address_out = 0x7eac5afcc0 True 1
Fn
Get Address - function = 0, ordinal = 8, address_out = 0x7eac5afcc0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = IsWow64Process, address_out = 0x7ffb3d27e960 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = ConvertStringSecurityDescriptorToSecurityDescriptorA, address_out = 0x7ffb3c2ed610 True 1
Fn
Get Address c:\windows\system32\shlwapi.dll function = StrRChrA, address_out = 0x7ffb3aa04dd0 True 1
Fn
Get Address c:\windows\system32\user32.dll function = wsprintfA, address_out = 0x7ffb3c672610 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = GetUserNameA, address_out = 0x7ffb3c2fec40 True 1
Fn
Get Address c:\windows\system32\psapi.dll function = EnumProcessModules, address_out = 0x7ffb3cfb1040 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegOpenKeyA, address_out = 0x7ffb3c2eb9e0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegQueryValueExA, address_out = 0x7ffb3c2e7dd0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegCloseKey, address_out = 0x7ffb3c2e72e0 True 1
Fn
Get Address c:\windows\system32\shlwapi.dll function = StrToIntExA, address_out = 0x7ffb3aa04e70 True 1
Fn
Get Address c:\windows\system32\shlwapi.dll function = StrChrA, address_out = 0x7ffb3aa04cc0 True 1
Fn
Get Address c:\windows\system32\shlwapi.dll function = StrTrimA, address_out = 0x7ffb3aa04e80 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegCreateKeyA, address_out = 0x7ffb3c316dc0 True 1
Fn
System (5)
+
Operation Additional Information Success Count Logfile
Sleep duration = -1 (infinite) False 1
Fn
Get Time type = System Time, time = 2017-12-11 16:44:02 (UTC) True 2
Fn
Get Info type = Operating System True 2
Fn
Mutex (1)
+
Operation Additional Information Success Count Logfile
Create mutex_name = {DB45C3D0-7EC1-C5FA-603F-92C994E3E60D} True 1
Fn
Process #17: chakmcat.exe
(Host: 2182, Network: 0)
+
Information Value
ID #17
File Name c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\amsisigd\chakmcat.exe
Command Line "C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Amsisigd\Chakmcat.exe"
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:02:00, Reason: Autostart
Unmonitor End Time: 00:02:20, Reason: Terminated by Timeout
Monitor Duration 00:00:20
OS Process Information
+
Information Value
PID 0x2d4
Parent PID 0x2b4 (c:\windows\explorer.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username LHNIWSJ\CIiHmnxMn6Ps
Groups
  • LHNIWSJ\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Local account and member of Administrators group (USE_FOR_DENY_ONLY)
  • BUILTIN\Administrators (USE_FOR_DENY_ONLY)
  • BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Local account (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Logon Session 00000000:00018798 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID)
  • LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 2F0
0x 30C
Region
+
Name Start VA End VA Type Permissions Monitored Dump YARA Match Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False
private_0x0000000000020000 0x00020000 0x00023fff Private Memory Readable, Writable True False False
private_0x0000000000030000 0x00030000 0x00031fff Private Memory Readable, Writable True False False
private_0x0000000000030000 0x00030000 0x00030fff Private Memory Readable, Writable True False False
pagefile_0x0000000000040000 0x00040000 0x00053fff Pagefile Backed Memory Readable True False False
private_0x0000000000060000 0x00060000 0x0009ffff Private Memory Readable, Writable True False False
private_0x00000000000a0000 0x000a0000 0x0019ffff Private Memory Readable, Writable True False False
pagefile_0x00000000001a0000 0x001a0000 0x001a3fff Pagefile Backed Memory Readable True False False
pagefile_0x00000000001b0000 0x001b0000 0x001b0fff Pagefile Backed Memory Readable True False False
private_0x00000000001c0000 0x001c0000 0x001c1fff Private Memory Readable, Writable True False False
locale.nls 0x001d0000 0x0028dfff Memory Mapped File Readable False False False
private_0x0000000000290000 0x00290000 0x002cffff Private Memory Readable, Writable True False False
private_0x00000000002d0000 0x002d0000 0x002d0fff Private Memory Readable, Writable True False False
private_0x00000000002e0000 0x002e0000 0x0033cfff Private Memory Readable, Writable, Executable True False False
private_0x0000000000340000 0x00340000 0x00378fff Private Memory Readable, Writable, Executable True False False
private_0x0000000000380000 0x00380000 0x00380fff Private Memory Readable, Writable, Executable True False False
private_0x0000000000390000 0x00390000 0x00390fff Private Memory Readable, Writable True False False
private_0x00000000003b0000 0x003b0000 0x003bffff Private Memory Readable, Writable True False False
private_0x00000000003c0000 0x003c0000 0x003f8fff Private Memory Readable, Writable True False False
chakmcat.exe 0x00400000 0x004a1fff Memory Mapped File Readable, Writable, Executable True False False
private_0x00000000004b0000 0x004b0000 0x005affff Private Memory Readable, Writable True False False
private_0x0000000000610000 0x00610000 0x0070ffff Private Memory Readable, Writable True False False
pagefile_0x0000000000710000 0x00710000 0x00897fff Pagefile Backed Memory Readable True False False
oleaut32.dll 0x008a0000 0x00930fff Memory Mapped File Readable False False False
private_0x00000000008a0000 0x008a0000 0x0099ffff Private Memory Readable, Writable True False False
private_0x00000000009a0000 0x009a0000 0x009affff Private Memory Readable, Writable True False False
pagefile_0x00000000009b0000 0x009b0000 0x00b30fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000b40000 0x00b40000 0x01f3ffff Pagefile Backed Memory Readable True False False
private_0x0000000001f40000 0x01f40000 0x0204ffff Private Memory Readable, Writable True False False
pagefile_0x0000000001f40000 0x01f40000 0x01fd1fff Pagefile Backed Memory Readable, Writable, Executable True False False
private_0x0000000002040000 0x02040000 0x0204ffff Private Memory Readable, Writable True False False
private_0x0000000002050000 0x02050000 0x024effff Private Memory Readable, Writable True False False
sortdefault.nls 0x024f0000 0x02826fff Memory Mapped File Readable False False False
private_0x0000000002830000 0x02830000 0x029f1fff Private Memory Readable, Writable True False False
wow64win.dll 0x650f0000 0x65162fff Memory Mapped File Readable, Writable, Executable False False False
wow64cpu.dll 0x65170000 0x65177fff Memory Mapped File Readable, Writable, Executable False False False
wow64.dll 0x65180000 0x651cefff Memory Mapped File Readable, Writable, Executable False False False
apphelp.dll 0x743c0000 0x74450fff Memory Mapped File Readable, Writable, Executable False False False
bcryptprimitives.dll 0x74460000 0x744b8fff Memory Mapped File Readable, Writable, Executable False False False
cryptbase.dll 0x744c0000 0x744c9fff Memory Mapped File Readable, Writable, Executable False False False
sspicli.dll 0x744d0000 0x744edfff Memory Mapped File Readable, Writable, Executable False False False
kernelbase.dll 0x74550000 0x746c5fff Memory Mapped File Readable, Writable, Executable False False False
shell32.dll 0x74890000 0x75c4efff Memory Mapped File Readable, Writable, Executable False False False
powrprof.dll 0x75c50000 0x75c93fff Memory Mapped File Readable, Writable, Executable False False False
advapi32.dll 0x75d10000 0x75d8afff Memory Mapped File Readable, Writable, Executable False False False
imm32.dll 0x75d90000 0x75dbafff Memory Mapped File Readable, Writable, Executable False False False
user32.dll 0x75dc0000 0x75efffff Memory Mapped File Readable, Writable, Executable False False False
gdi32.dll 0x75fa0000 0x760ecfff Memory Mapped File Readable, Writable, Executable False False False
kernel32.dll 0x76140000 0x7622ffff Memory Mapped File Readable, Writable, Executable False False False
msctf.dll 0x76230000 0x7634ffff Memory Mapped File Readable, Writable, Executable False False False
ole32.dll 0x76350000 0x76439fff Memory Mapped File Readable, Writable, Executable False False False
shlwapi.dll 0x764e0000 0x76523fff Memory Mapped File Readable, Writable, Executable False False False
kernel.appcore.dll 0x76530000 0x7653bfff Memory Mapped File Readable, Writable, Executable False False False
windows.storage.dll 0x76750000 0x76c2cfff Memory Mapped File Readable, Writable, Executable False False False
profapi.dll 0x76c30000 0x76c3efff Memory Mapped File Readable, Writable, Executable False False False
msvcrt.dll 0x76c40000 0x76cfdfff Memory Mapped File Readable, Writable, Executable False False False
combase.dll 0x76f00000 0x770b9fff Memory Mapped File Readable, Writable, Executable False False False
shcore.dll 0x771e0000 0x7726cfff Memory Mapped File Readable, Writable, Executable False False False
rpcrt4.dll 0x77270000 0x7731bfff Memory Mapped File Readable, Writable, Executable False False False
sechost.dll 0x77320000 0x77362fff Memory Mapped File Readable, Writable, Executable False False False
ntdll.dll 0x773c0000 0x77538fff Memory Mapped File Readable, Writable, Executable False False False
pagefile_0x000000007feb0000 0x7feb0000 0x7ffaffff Pagefile Backed Memory Readable True False False
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory Readable True False False
private_0x000000007ffd8000 0x7ffd8000 0x7ffdafff Private Memory Readable, Writable True False False
private_0x000000007ffdb000 0x7ffdb000 0x7ffddfff Private Memory Readable, Writable True False False
private_0x000000007ffde000 0x7ffde000 0x7ffdefff Private Memory Readable, Writable True False False
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory Readable, Writable True False False
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False
private_0x000000007fff0000 0x7fff0000 0x7ffb6761ffff Private Memory Readable True False False
ntdll.dll 0x7ffb67620000 0x7ffb677e1fff Memory Mapped File Readable, Writable, Executable False False False
private_0x00007ffb677e2000 0x7ffb677e2000 0x7ffffffeffff Private Memory Readable True False False
Host Behavior
File (1976)
+
Operation Filename Additional Information Success Count Logfile
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7C83.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7C93.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7C94.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7C95.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7C96.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7C97.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7C98.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7CA9.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7CAA.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7CAB.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7CAC.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7CAD.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7CBD.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7CBE.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7CBF.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7CC0.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7CC1.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7CC2.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7CD3.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7CD4.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7CD5.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7CD6.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7CD7.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7CD8.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7CD9.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7CEA.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7CEB.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7CEC.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7CED.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7CEE.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7CEF.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7CFF.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7D00.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7D01.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7D02.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7D03.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7D14.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7D15.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7D16.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7D17.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7D18.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7D19.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7D2A.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7D2B.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7D2C.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7D2D.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7D2E.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7D2F.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7D3F.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7D40.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7D41.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7D42.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7D43.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7D44.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7D55.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7D56.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7D57.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7D58.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7D59.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7D5A.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7D6A.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7D6B.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7D6C.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7D6D.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7D6E.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7D7F.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7D80.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7D81.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7D82.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7D83.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7D84.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7D95.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7D96.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7D97.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7D98.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7D99.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7D9A.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7DAA.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7DAB.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7DAC.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7DAD.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7DAE.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7DAF.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7DC0.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7DC1.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7DC2.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7DC3.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7DC4.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7DD5.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7DD6.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7DD7.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7DD8.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7DD9.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7DDA.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7DDB.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7DEB.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7DEC.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7DED.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7DEE.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7DEF.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7E00.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7E01.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7E02.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7E03.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7E04.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7E14.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7E15.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7E16.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7E17.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7E18.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7E29.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7E2A.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7E2B.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7E2C.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7E2D.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7E2E.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7E3F.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7E40.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7E41.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7E42.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7E43.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7E44.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7E54.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7E55.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7E56.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7E57.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7E58.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7E69.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7E6A.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7E6B.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7E6C.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7E6D.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7E7E.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7E7F.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7E80.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7E81.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7E82.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7E83.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7E93.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7E94.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7E95.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7E96.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7E97.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7E98.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7EA9.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7EAA.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7EBA.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7EBB.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7EBC.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7EBD.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7EBE.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7EBF.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7ED0.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7ED1.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7ED2.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7ED3.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7ED4.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7EE5.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7EE6.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7EF6.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7EF7.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7EF8.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7EF9.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7F0A.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7F0B.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7F0C.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7F0D.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7F0E.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7F1F.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7F20.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7F21.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7F22.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7F23.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7F24.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7F34.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7F35.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7F36.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7F37.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7F38.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7F49.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7F4A.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7F4B.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7F4C.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7F4D.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7F5D.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7F5E.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7F5F.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7F60.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7F61.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7F62.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7F73.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7F74.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7F85.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7F86.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7F87.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7F88.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7F98.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7F99.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7F9A.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7F9B.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7F9C.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7F9D.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7F9E.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7F9F.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7FA0.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7FB1.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7FB2.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7FB3.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7FB4.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7FB5.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7FB6.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7FC7.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7FC8.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7FD8.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7FD9.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7FDA.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7FDB.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7FEC.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7FED.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7FEE.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7FEF.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\7FF0.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\8000.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\8001.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\8002.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\8003.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\8004.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\8015.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\8016.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\8017.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\8018.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\8019.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\802A.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\802B.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\802C.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\802D.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\803D.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\803E.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\803F.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\8040.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\8041.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\8052.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\8053.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\8054.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\8055.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\8066.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\8067.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\8068.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\8069.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\806A.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\807A.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\807B.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\807C.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\807D.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\807E.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\807F.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\8090.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\8091.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\8092.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\8093.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\8094.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\8095.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\80A5.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\80A6.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\80A7.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\80A8.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\80A9.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\80BA.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\80BB.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\80BC.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\80BD.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\80BE.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\80BF.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\80D0.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\80D1.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\80D2.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\80D3.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\80D4.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\80D5.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\80E5.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\80E6.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\80E7.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\80E8.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\80E9.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\80FA.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\80FB.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\80FC.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\80FD.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\80FE.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\80FF.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\8110.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\8111.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\8112.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\8113.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\8123.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\8124.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\8125.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\8126.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\8127.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\8128.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\8139.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\813A.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\813B.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\813C.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\813D.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\814D.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\814E.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\814F.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\8150.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\8151.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\8152.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\8163.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\8164.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\8165.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\8166.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\8167.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\8178.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\8179.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\817A.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\817B.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\818B.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\818C.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\818D.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\818E.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\819F.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\81A0.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\81A1.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\81A2.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\81A3.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\81A4.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\81B5.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\81B6.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\81B7.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\81B8.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\81B9.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\81BA.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\81CA.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\81CB.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\81CC.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\81CD.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\81CE.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\81DF.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\81E0.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\81E1.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\81E2.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\81E3.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\81F3.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\81F4.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\81F5.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\81F6.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\81F7.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\81F8.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\8209.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\820A.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\820B.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\820C.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\820D.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\820E.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\821F.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\8220.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\8221.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\8222.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\8223.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\8224.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\8225.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\8235.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\8236.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\8237.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\8238.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\8239.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\823A.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\824B.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\824C.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\824D.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\824E.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\825F.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\8260.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\8261.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\8262.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\8263.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\8264.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\8274.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\8275.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\8276.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\8277.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\8278.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\8279.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\828A.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\828B.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\828C.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\828D.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\828E.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\829E.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Windows\system32\c_1252.nls desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 3
Fn
Create Directory C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft - False 1
Fn
Create Directory C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Amsisigd - False 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7C83.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7C93.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7C94.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7C95.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7C96.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7C97.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7C98.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7CA9.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7CAA.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7CAB.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7CAC.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7CAD.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7CBD.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7CBE.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7CBF.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7CC0.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7CC1.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7CC2.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7CD3.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7CD4.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7CD5.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7CD6.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7CD7.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7CD8.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7CD9.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7CEA.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7CEB.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7CEC.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7CED.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7CEE.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7CEF.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7CFF.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7D00.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7D01.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7D02.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7D03.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7D14.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7D15.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7D16.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7D17.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7D18.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7D19.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7D2A.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7D2B.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7D2C.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7D2D.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7D2E.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7D2F.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7D3F.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7D40.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7D41.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7D42.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7D43.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7D44.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7D55.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7D56.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7D57.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7D58.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7D59.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7D5A.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7D6A.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7D6B.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7D6C.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7D6D.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7D6E.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7D7F.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7D80.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7D81.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7D82.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7D83.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7D84.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7D95.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7D96.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7D97.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7D98.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7D99.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7D9A.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7DAA.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7DAB.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7DAC.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7DAD.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7DAE.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7DAF.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7DC0.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7DC1.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7DC2.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7DC3.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7DC4.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7DD5.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7DD6.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7DD7.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7DD8.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7DD9.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7DDA.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7DDB.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7DEB.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7DEC.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7DED.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7DEE.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7DEF.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7E00.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7E01.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7E02.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7E03.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7E04.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7E14.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7E15.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7E16.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7E17.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7E18.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7E29.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7E2A.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7E2B.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7E2C.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7E2D.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7E2E.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7E3F.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7E40.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7E41.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7E42.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7E43.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7E44.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7E54.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7E55.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7E56.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7E57.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7E58.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7E69.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7E6A.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7E6B.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7E6C.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7E6D.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7E7E.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7E7F.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7E80.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7E81.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7E82.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7E83.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7E93.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7E94.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7E95.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7E96.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7E97.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7E98.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7EA9.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7EAA.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7EBA.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7EBB.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7EBC.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7EBD.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7EBE.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7EBF.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7ED0.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7ED1.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7ED2.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7ED3.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7ED4.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7EE5.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7EE6.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7EF6.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7EF7.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7EF8.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7EF9.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7F0A.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7F0B.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7F0C.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7F0D.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7F0E.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7F1F.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7F20.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7F21.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7F22.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7F23.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7F24.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7F34.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7F35.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7F36.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7F37.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7F38.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7F49.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7F4A.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7F4B.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7F4C.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7F4D.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7F5D.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7F5E.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7F5F.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7F60.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7F61.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7F62.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7F73.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7F74.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7F85.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7F86.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7F87.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7F88.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7F98.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7F99.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7F9A.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7F9B.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7F9C.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7F9D.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7F9E.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7F9F.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7FA0.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7FB1.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7FB2.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7FB3.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7FB4.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7FB5.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7FB6.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7FC7.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7FC8.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7FD8.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7FD9.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7FDA.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7FDB.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7FEC.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7FED.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7FEE.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7FEF.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\7FF0.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\8000.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\8001.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\8002.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\8003.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\8004.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\8015.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\8016.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\8017.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\8018.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\8019.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\802A.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\802B.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\802C.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\802D.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\803D.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\803E.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\803F.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\8040.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\8041.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\8052.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\8053.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\8054.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\8055.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\8066.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\8067.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\8068.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\8069.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\806A.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\807A.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\807B.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\807C.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\807D.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\807E.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\807F.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\8090.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\8091.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\8092.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\8093.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\8094.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\8095.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\80A5.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\80A6.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\80A7.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\80A8.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\80A9.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\80BA.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\80BB.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\80BC.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\80BD.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\80BE.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\80BF.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\80D0.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\80D1.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\80D2.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\80D3.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\80D4.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\80D5.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\80E5.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\80E6.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\80E7.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\80E8.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\80E9.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\80FA.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\80FB.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\80FC.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\80FD.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\80FE.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\80FF.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\8110.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\8111.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\8112.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\8113.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\8123.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\8124.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\8125.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\8126.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\8127.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\8128.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\8139.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\813A.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\813B.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\813C.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\813D.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\814D.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\814E.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\814F.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\8150.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\8151.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\8152.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\8163.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\8164.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\8165.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\8166.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\8167.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\8178.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\8179.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\817A.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\817B.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\818B.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\818C.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\818D.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\818E.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\819F.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\81A0.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\81A1.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\81A2.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\81A3.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\81A4.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\81B5.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\81B6.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\81B7.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\81B8.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\81B9.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\81BA.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\81CA.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\81CB.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\81CC.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\81CD.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\81CE.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\81DF.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\81E0.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\81E1.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\81E2.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\81E3.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\81F3.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\81F4.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\81F5.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\81F6.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\81F7.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\81F8.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\8209.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\820A.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\820B.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\820C.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\820D.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\820E.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\821F.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\8220.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\8221.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\8222.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\8223.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\8224.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\8225.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\8235.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\8236.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\8237.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\8238.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\8239.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\823A.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\824B.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\824C.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\824D.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\824E.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\825F.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\8260.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\8261.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\8262.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\8263.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\8264.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\8274.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\8275.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\8276.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\8277.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\8278.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\8279.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\828A.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\828B.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\828C.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\828D.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\828E.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\829E.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7C83.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7C93.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7C94.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7C95.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7C96.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7C97.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7C98.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7CA9.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7CAA.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7CAB.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7CAC.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7CAD.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7CBD.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7CBE.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7CBF.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7CC0.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7CC1.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7CC2.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7CD3.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7CD4.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7CD5.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7CD6.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7CD7.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7CD8.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7CD9.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7CEA.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7CEB.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7CEC.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7CED.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7CEE.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7CEF.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7CFF.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7D00.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7D01.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7D02.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7D03.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7D14.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7D15.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7D16.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7D17.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7D18.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7D19.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7D2A.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7D2B.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7D2C.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7D2D.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7D2E.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7D2F.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7D3F.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7D40.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7D41.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7D42.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7D43.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7D44.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7D55.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7D56.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7D57.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7D58.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7D59.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7D5A.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7D6A.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7D6B.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7D6C.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7D6D.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7D6E.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7D7F.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7D80.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7D81.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7D82.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7D83.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7D84.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7D95.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7D96.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7D97.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7D98.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7D99.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7D9A.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7DAA.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7DAB.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7DAC.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7DAD.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7DAE.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7DAF.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7DC0.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7DC1.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7DC2.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7DC3.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7DC4.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7DD5.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7DD6.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7DD7.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7DD8.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7DD9.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7DDA.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7DDB.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7DEB.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7DEC.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7DED.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7DEE.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7DEF.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7E00.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7E01.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7E02.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7E03.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7E04.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7E14.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7E15.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7E16.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7E17.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7E18.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7E29.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7E2A.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7E2B.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7E2C.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7E2D.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7E2E.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7E3F.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7E40.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7E41.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7E42.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7E43.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7E44.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7E54.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7E55.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7E56.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7E57.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7E58.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7E69.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7E6A.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7E6B.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7E6C.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7E6D.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7E7E.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7E7F.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7E80.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7E81.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7E82.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7E83.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7E93.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7E94.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7E95.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7E96.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7E97.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7E98.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7EA9.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7EAA.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7EBA.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7EBB.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7EBC.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7EBD.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7EBE.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7EBF.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7ED0.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7ED1.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7ED2.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7ED3.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7ED4.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7EE5.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7EE6.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7EF6.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7EF7.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7EF8.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7EF9.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7F0A.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7F0B.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7F0C.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7F0D.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7F0E.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7F1F.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7F20.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7F21.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7F22.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7F23.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7F24.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7F34.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7F35.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7F36.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7F37.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7F38.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7F49.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7F4A.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7F4B.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7F4C.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7F4D.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7F5D.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7F5E.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7F5F.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7F60.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7F61.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7F62.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7F73.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7F74.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7F85.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7F86.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7F87.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7F88.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7F98.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7F99.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7F9A.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7F9B.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7F9C.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7F9D.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7F9E.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7F9F.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7FA0.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7FB1.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7FB2.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7FB3.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7FB4.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7FB5.tmp type = time True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\7FB6.tmp type = time True 1
Fn
For performance reasons, the remaining 974 entries are omitted.
The remaining entries can be found in glog.xml.
Registry (10)
+
Operation Key Additional Information Success Count Logfile
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run - True 1
Fn
Open Key HKEY_USERS - True 1
Fn
Open Key HKEY_USERS\S-1-5-21-1462094071-1423818996-289466292-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders - True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run value_name = Accocca, data = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Amsisigd\Chakmcat.exe, type = REG_SZ True 1
Fn
Read Value HKEY_USERS\S-1-5-21-1462094071-1423818996-289466292-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders value_name = AppData, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_USERS\S-1-5-21-1462094071-1423818996-289466292-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders value_name = AppData, data = C:\Users\CIiHmnxMn6Ps\AppData\Roaming, type = REG_SZ True 1
Fn
Enumerate Keys HKEY_USERS - True 1
Fn
Enumerate Keys HKEY_USERS - True 1
Fn
Enumerate Keys HKEY_USERS - True 1
Fn
Enumerate Keys HKEY_USERS - True 1
Fn
Process (4)
+
Operation Process Additional Information Success Count Logfile
Create C:\Windows\system32\svchost.exe os_pid = 0x998, creation_flags = CREATE_SUSPENDED, CREATE_DEFAULT_ERROR_MODE, show_window = SW_HIDE True 1
Fn
Open c:\windows\explorer.exe desired_access = PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\windows\explorer.exe desired_access = PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\windows\explorer.exe desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_SET_SESSIONID, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_DUP_HANDLE, PROCESS_CREATE_PROCESS, PROCESS_SET_QUOTA, PROCESS_SET_INFORMATION, PROCESS_QUERY_INFORMATION, PROCESS_SUSPEND_RESUME, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE True 1
Fn
Thread (6)
+
Operation Process Additional Information Success Count Logfile
Suspend c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\amsisigd\chakmcat.exe os_tid = 0x2f0 True 1
Fn
Get Context c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\amsisigd\chakmcat.exe os_tid = 0x2f0 True 2
Fn
Set Context c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\amsisigd\chakmcat.exe os_tid = 0x2f0 True 1
Fn
Resume c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\amsisigd\chakmcat.exe os_tid = 0x2f0 True 2
Fn
Memory (4)
+
Operation Process Additional Information Success Count Logfile
Protect C:\Windows\system32\svchost.exe address = 0x7ff77a6f3440, protection = PAGE_EXECUTE_READWRITE, size = 1701384 True 1
Fn
Protect C:\Windows\system32\svchost.exe address = 0x7ff77a6f3000, protection = PAGE_EXECUTE_READ, size = 1701384 True 1
Fn
Write C:\Windows\system32\svchost.exe address = 0xd10000, size = 792 True 1
Fn
Data
Write C:\Windows\system32\svchost.exe address = 0x7ff77a6f3440, size = 4 True 1
Fn
Data
Module (179)
+
Operation Module Additional Information Success Count Logfile
Load ntdll.dll base_address = 0x773c0000 True 1
Fn
Load SHLWAPI.dll base_address = 0x764e0000 True 1
Fn
Load KERNEL32.dll base_address = 0x76140000 True 1
Fn
Load USER32.dll base_address = 0x75dc0000 True 1
Fn
Load ADVAPI32.dll base_address = 0x75d10000 True 1
Fn
Load SHELL32.dll base_address = 0x74890000 True 1
Fn
Load ole32.dll base_address = 0x76350000 True 1
Fn
Load USER32.DLL base_address = 0x75dc0000 True 1
Fn
Get Handle c:\windows\syswow64\kernel32.dll base_address = 0x76140000 True 13
Fn
Get Handle c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\amsisigd\chakmcat.exe base_address = 0x400000 True 1
Fn
Get Handle c:\windows\syswow64\user32.dll base_address = 0x75dc0000 True 1
Fn
Get Handle c:\windows\syswow64\ntdll.dll base_address = 0x773c0000 True 1
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\amsisigd\chakmcat.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Amsisigd\Chakmcat.exe, size = 260 True 1
Fn
Get Filename c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\amsisigd\chakmcat.exe process_name = c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\amsisigd\chakmcat.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Amsisigd\Chakmcat.exe, size = 260 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsAlloc, address_out = 0x7615a330 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsGetValue, address_out = 0x76157580 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsSetValue, address_out = 0x76159910 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsFree, address_out = 0x7615f400 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EncodePointer, address_out = 0x7741f190 True 8
Fn
Get Address c:\windows\syswow64\kernel32.dll function = DecodePointer, address_out = 0x7741a200 True 3
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleHandleA, address_out = 0x76159640 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualAlloc, address_out = 0x76158b70 True 3
Fn
Get Address c:\windows\syswow64\ntdll.dll function = ZwClose, address_out = 0x77428cb0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = ZwQueryInformationToken, address_out = 0x77428df0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = RtlNtStatusToDosError, address_out = 0x77413010 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = ZwOpenProcess, address_out = 0x77428e40 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = ZwQueryInformationProcess, address_out = 0x77428d50 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = mbstowcs, address_out = 0x7742e610 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = memset, address_out = 0x7742ee50 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = memcpy, address_out = 0x7742e7b0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtQuerySystemInformation, address_out = 0x77428f40 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtUnmapViewOfSection, address_out = 0x77428e80 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtMapViewOfSection, address_out = 0x77428e60 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = RtlUpcaseUnicodeString, address_out = 0x7740e040 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtCreateSection, address_out = 0x77429080 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = ZwOpenProcessToken, address_out = 0x77429d20 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = RtlFreeUnicodeString, address_out = 0x773fb940 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = RtlUnwind, address_out = 0x7741aca0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtQueryVirtualMemory, address_out = 0x77428e10 True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathFindExtensionW, address_out = 0x764f7c40 True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = StrRChrA, address_out = 0x76502900 True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathFindExtensionA, address_out = 0x76501db0 True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = StrChrA, address_out = 0x765026c0 True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathCombineW, address_out = 0x764fcd50 True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathFindFileNameW, address_out = 0x764f80d0 True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = StrChrW, address_out = 0x764f6a00 True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = StrTrimW, address_out = 0x764f83a0 True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathFindFileNameA, address_out = 0x764f8970 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ResetEvent, address_out = 0x761660b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseHandle, address_out = 0x76165f20 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LoadLibraryA, address_out = 0x7615d8d0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateEventA, address_out = 0x76165f70 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateWaitableTimerA, address_out = 0x7615db30 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTickCount, address_out = 0x761657f0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateProcessA, address_out = 0x76180960 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetFileAttributesW, address_out = 0x76166510 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = DeleteFileA, address_out = 0x761661a0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WriteFile, address_out = 0x76166590 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapAlloc, address_out = 0x773fda90 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetEvent, address_out = 0x761660c0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileTime, address_out = 0x76166380 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetProcAddress, address_out = 0x76157940 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLastError, address_out = 0x76152db0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcatW, address_out = 0x7617d320 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = Sleep, address_out = 0x761577b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateFileA, address_out = 0x76166170 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcmpiW, address_out = 0x76157540 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapFree, address_out = 0x761525e0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrlenW, address_out = 0x76152d80 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetWaitableTimer, address_out = 0x761660d0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCommandLineW, address_out = 0x7615a4b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ExitProcess, address_out = 0x761674f0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapCreate, address_out = 0x76159950 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapDestroy, address_out = 0x7615d940 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WaitForSingleObject, address_out = 0x76166110 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetSystemTimeAsFileTime, address_out = 0x76152b90 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = DeleteFileW, address_out = 0x761661b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ExpandEnvironmentStringsA, address_out = 0x76180da0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualProtectEx, address_out = 0x76182a00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ResumeThread, address_out = 0x7615a280 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SuspendThread, address_out = 0x7615ed00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcmpA, address_out = 0x7615c1f0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTempFileNameA, address_out = 0x761663f0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateDirectoryA, address_out = 0x76166140 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTempPathA, address_out = 0x76166410 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentThreadId, address_out = 0x76151b90 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileSize, address_out = 0x76166360 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcpynA, address_out = 0x7615f7b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindNextFileA, address_out = 0x76166270 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CompareFileTime, address_out = 0x76166130 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLongPathNameW, address_out = 0x761547c0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = OpenProcess, address_out = 0x761592b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetVersion, address_out = 0x7615a300 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcessId, address_out = 0x76151d90 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindClose, address_out = 0x761661d0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcpyA, address_out = 0x7615e320 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ExpandEnvironmentStringsW, address_out = 0x7615c8c0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcatA, address_out = 0x7615efc0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrlenA, address_out = 0x76163a30 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetFilePointer, address_out = 0x76166530 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ReadFile, address_out = 0x761664a0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleFileNameW, address_out = 0x76159560 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleFileNameA, address_out = 0x7615a040 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateFileW, address_out = 0x76166180 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetLastError, address_out = 0x76152af0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualFree, address_out = 0x76158c70 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcmpiA, address_out = 0x76157610 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetEndOfFile, address_out = 0x761664f0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcpyW, address_out = 0x7617d410 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateDirectoryW, address_out = 0x76166150 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlushFileBuffers, address_out = 0x761662a0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LocalFree, address_out = 0x761587c0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindFirstFileA, address_out = 0x76166210 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = wsprintfW, address_out = 0x75deddf0 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = wsprintfA, address_out = 0x75deea00 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegQueryValueExA, address_out = 0x75d2ee40 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = ConvertStringSecurityDescriptorToSecurityDescriptorA, address_out = 0x75d5bda0 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegOpenKeyA, address_out = 0x75d331a0 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = GetTokenInformation, address_out = 0x75d2ed40 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = OpenProcessToken, address_out = 0x75d2ee90 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = GetSidSubAuthority, address_out = 0x75d30ea0 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegCreateKeyA, address_out = 0x75d33150 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegSetValueExW, address_out = 0x75d2f0a0 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegSetValueExA, address_out = 0x75d30750 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegDeleteValueW, address_out = 0x75d30ca0 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegOpenKeyW, address_out = 0x75d2f590 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegEnumKeyExA, address_out = 0x75d32520 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegCloseKey, address_out = 0x75d2efa0 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegQueryValueExW, address_out = 0x75d2ed60 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegOpenKeyExA, address_out = 0x75d2f000 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = GetSidSubAuthorityCount, address_out = 0x75d30f50 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = ShellExecuteExW, address_out = 0x74a24cb0 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = ShellExecuteW, address_out = 0x74a24370 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = 92, address_out = 0x74b07560 True 1
Fn
Get Address c:\windows\syswow64\ole32.dll function = CoInitializeEx, address_out = 0x76f6cd50 True 1
Fn
Get Address c:\windows\syswow64\ole32.dll function = CoUninitialize, address_out = 0x76f6dca0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsWow64Process, address_out = 0x761596e0 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = FindWindowA, address_out = 0x75df0980 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = GetWindowThreadProcessId, address_out = 0x75ddba70 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = ZwWow64QueryInformationProcess64, address_out = 0x7742a840 True 13
Fn
Create Mapping - protection = PAGE_EXECUTE_READWRITE, maximum_size = 1701360 True 1
Fn
Map - process_name = c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\amsisigd\chakmcat.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x1f40000 True 1
Fn
Map - process_name = C:\Windows\system32\svchost.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0xc70000 True 1
Fn
Window (1)
+
Operation Window Name Additional Information Success Count Logfile
Find - class_name = ProgMan True 1
Fn
System (1)
+
Operation Additional Information Success Count Logfile
Get Info type = Operating System True 1
Fn
Environment (1)
+
Operation Additional Information Success Count Logfile
Get Environment String - True 1
Fn
Data
Process #18: svchost.exe
(Host: 261, Network: 0)
+
Information Value
ID #18
File Name c:\windows\system32\svchost.exe
Command Line C:\Windows\system32\svchost.exe
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:02:03, Reason: Child Process
Unmonitor End Time: 00:02:20, Reason: Terminated by Timeout
Monitor Duration 00:00:17
OS Process Information
+
Information Value
PID 0x998
Parent PID 0x2d4 (c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\amsisigd\chakmcat.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username LHNIWSJ\CIiHmnxMn6Ps
Groups
  • LHNIWSJ\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Local account and member of Administrators group (USE_FOR_DENY_ONLY)
  • BUILTIN\Administrators (USE_FOR_DENY_ONLY)
  • BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Local account (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Logon Session 00000000:00018798 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID)
  • LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 904
0x 880
0x BFC
0x 80C
Region
+
Name Start VA End VA Type Permissions Monitored Dump YARA Match Actions
pagefile_0x0000000000c70000 0x00c70000 0x00d01fff Pagefile Backed Memory Readable, Writable, Executable True False False
private_0x0000000000d10000 0x00d10000 0x00d10fff Private Memory Readable, Writable, Executable True False False
private_0x000000007ffb0000 0x7ffb0000 0x7ffb0fff Private Memory Readable, Writable True False False
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False
private_0x000000ff91c70000 0xff91c70000 0xff91c8ffff Private Memory Readable, Writable True False False
pagefile_0x000000ff91c70000 0xff91c70000 0xff91c7ffff Pagefile Backed Memory Readable, Writable True False False
private_0x000000ff91c80000 0xff91c80000 0xff91c81fff Private Memory Readable, Writable True False False
svchost.exe.mui 0xff91c80000 0xff91c80fff Memory Mapped File Readable False False False
pagefile_0x000000ff91c90000 0xff91c90000 0xff91ca3fff Pagefile Backed Memory Readable True False False
private_0x000000ff91cb0000 0xff91cb0000 0xff91d2ffff Private Memory Readable, Writable True False False
pagefile_0x000000ff91d30000 0xff91d30000 0xff91d33fff Pagefile Backed Memory Readable True False False
pagefile_0x000000ff91d40000 0xff91d40000 0xff91d40fff Pagefile Backed Memory Readable True False False
private_0x000000ff91d50000 0xff91d50000 0xff91d51fff Private Memory Readable, Writable True False False
private_0x000000ff91d60000 0xff91d60000 0xff91ddffff Private Memory Readable, Writable True False False
private_0x000000ff91de0000 0xff91de0000 0xff91de0fff Private Memory Readable, Writable True False False
private_0x000000ff91df0000 0xff91df0000 0xff91df0fff Private Memory Readable, Writable True False False
private_0x000000ff91e00000 0xff91e00000 0xff91e06fff Private Memory Readable, Writable True False False
locale.nls 0xff91e10000 0xff91ecdfff Memory Mapped File Readable False False False
private_0x000000ff91f00000 0xff91f00000 0xff91ffffff Private Memory Readable, Writable True False False
private_0x000000ff92000000 0xff92000000 0xff921a8fff Private Memory Readable, Writable True False False
ole32.dll 0xff92000000 0xff92140fff Memory Mapped File Readable False False False
private_0x000000ff92000000 0xff92000000 0xff92128fff Private Memory Readable, Writable True False False
imm32.dll 0xff92000000 0xff92033fff Memory Mapped File Readable False False False
pagefile_0x000000ff92000000 0xff92000000 0xff92091fff Pagefile Backed Memory Readable, Writable, Executable True False False
private_0x000000ff92120000 0xff92120000 0xff92128fff Private Memory Readable, Writable True False False
private_0x000000ff921a0000 0xff921a0000 0xff921a8fff Private Memory Readable, Writable True False False
private_0x000000ff921b0000 0xff921b0000 0xff923affff Private Memory Readable, Writable True False False
private_0x000000ff92200000 0xff92200000 0xff922fffff Private Memory Readable, Writable True False False
private_0x000000ff92300000 0xff92300000 0xff924fffff Private Memory Readable, Writable True False False
private_0x000000ff92300000 0xff92300000 0xff923fffff Private Memory Readable, Writable True False False
private_0x000000ff92400000 0xff92400000 0xff925fffff Private Memory Readable, Writable True False False
private_0x000000ff92400000 0xff92400000 0xff924fffff Private Memory Readable, Writable True False False
private_0x000000ff92500000 0xff92500000 0xff926fffff Private Memory Readable, Writable True False False
private_0x000000ff92500000 0xff92500000 0xff925fffff Private Memory Readable, Writable True False False
private_0x000000ff92600000 0xff92600000 0xff927fffff Private Memory Readable, Writable True False False
private_0x000000ff92600000 0xff92600000 0xff926fffff Private Memory Readable, Writable True False False
pagefile_0x000000ff92700000 0xff92700000 0xff92887fff Pagefile Backed Memory Readable True False False
pagefile_0x000000ff92890000 0xff92890000 0xff92a10fff Pagefile Backed Memory Readable True False False
pagefile_0x000000ff92a20000 0xff92a20000 0xff93e1ffff Pagefile Backed Memory Readable True False False
sortdefault.nls 0xff93e20000 0xff94156fff Memory Mapped File Readable False False False
pagefile_0x00007df5ff180000 0x7df5ff180000 0x7ff5ff17ffff Pagefile Backed Memory - True False False
pagefile_0x00007ff77a5c0000 0x7ff77a5c0000 0x7ff77a6bffff Pagefile Backed Memory Readable True False False
pagefile_0x00007ff77a6c0000 0x7ff77a6c0000 0x7ff77a6e2fff Pagefile Backed Memory Readable True False False
private_0x00007ff77a6eb000 0x7ff77a6eb000 0x7ff77a6ebfff Private Memory Readable, Writable True False False
private_0x00007ff77a6ec000 0x7ff77a6ec000 0x7ff77a6edfff Private Memory Readable, Writable True False False
private_0x00007ff77a6ee000 0x7ff77a6ee000 0x7ff77a6effff Private Memory Readable, Writable True False False
svchost.exe 0x7ff77a6f0000 0x7ff77a6fcfff Memory Mapped File Readable, Writable, Executable False False False
sspicli.dll 0x7ffb63c70000 0x7ffb63c9bfff Memory Mapped File Readable, Writable, Executable False False False
kernelbase.dll 0x7ffb64a50000 0x7ffb64c2cfff Memory Mapped File Readable, Writable, Executable False False False
oleaut32.dll 0x7ffb64cf0000 0x7ffb64dadfff Memory Mapped File Readable, Writable, Executable False False False
gdi32.dll 0x7ffb64f80000 0x7ffb65104fff Memory Mapped File Readable, Writable, Executable False False False
rpcrt4.dll 0x7ffb66640000 0x7ffb66765fff Memory Mapped File Readable, Writable, Executable False False False
psapi.dll 0x7ffb66770000 0x7ffb66777fff Memory Mapped File Readable, Writable, Executable False False False
imm32.dll 0x7ffb66780000 0x7ffb667b5fff Memory Mapped File Readable, Writable, Executable False False False
user32.dll 0x7ffb667c0000 0x7ffb6690dfff Memory Mapped File Readable, Writable, Executable False False False
shlwapi.dll 0x7ffb66b30000 0x7ffb66b80fff Memory Mapped File Readable, Writable, Executable False False False
combase.dll 0x7ffb66bf0000 0x7ffb66e6bfff Memory Mapped File Readable, Writable, Executable False False False
kernel32.dll 0x7ffb670d0000 0x7ffb6717cfff Memory Mapped File Readable, Writable, Executable False False False
msvcrt.dll 0x7ffb672d0000 0x7ffb6736cfff Memory Mapped File Readable, Writable, Executable False False False
advapi32.dll 0x7ffb673a0000 0x7ffb67445fff Memory Mapped File Readable, Writable, Executable False False False
msctf.dll 0x7ffb67450000 0x7ffb675abfff Memory Mapped File Readable, Writable, Executable False False False
sechost.dll 0x7ffb675c0000 0x7ffb6761afff Memory Mapped File Readable, Writable, Executable False False False
ntdll.dll 0x7ffb67620000 0x7ffb677e1fff Memory Mapped File Readable, Writable, Executable False False False
Injection Information
+
Injection Type Source Process Source Os Thread ID Injection Info Success Count Logfile
Modify Memory #17: c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\amsisigd\chakmcat.exe 0x2f0 address = 0xc70000, size = 598016 True 1
Fn
Modify Memory #17: c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\amsisigd\chakmcat.exe 0x2f0 address = 0xd10000, size = 792 True 1
Fn
Data
Modify Control Flow #17: c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\amsisigd\chakmcat.exe 0x2f0 os_tid = 0x904, address = 0x7a6eb000 True 1
Fn
Modify Memory #17: c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\amsisigd\chakmcat.exe 0x2f0 address = 0x7ff77a6f3440, size = 4 True 1
Fn
Data
Host Behavior
File (6)
+
Operation Filename Additional Information Success Count Logfile
Create C:\Windows\SYSTEM32\ntdll.dll desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 3
Fn
Read C:\Windows\SYSTEM32\ntdll.dll size = 4, size_out = 4 True 3
Fn
Data
Registry (6)
+
Operation Key Additional Information Success Count Logfile
Create Key HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\07430283-BA24-D1EC-FC2B-8E95F08FA299 - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\07430283-BA24-D1EC-FC2B-8E95F08FA299 - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\07430283-BA24-D1EC-FC2B-8E95F08FA299 - True 1
Fn
Read Value HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\07430283-BA24-D1EC-FC2B-8E95F08FA299 value_name = Ini, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\07430283-BA24-D1EC-FC2B-8E95F08FA299 value_name = Client, type = REG_BINARY True 1
Fn
Data
Read Value HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\07430283-BA24-D1EC-FC2B-8E95F08FA299 value_name = Scr, type = REG_NONE False 1
Fn
Process (22)
+
Operation Process Additional Information Success Count Logfile
Get Info c:\windows\system32\svchost.exe type = PROCESS_BASIC_INFORMATION True 20
Fn
Open c:\windows\explorer.exe desired_access = PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\windows\explorer.exe desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_SET_SESSIONID, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_DUP_HANDLE, PROCESS_CREATE_PROCESS, PROCESS_SET_QUOTA, PROCESS_SET_INFORMATION, PROCESS_QUERY_INFORMATION, PROCESS_SUSPEND_RESUME, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE True 1
Fn
Thread (7)
+
Operation Process Additional Information Success Count Logfile
Create c:\windows\explorer.exe proc_address = 0x7ffb67629fa0, proc_parameter = 0, flags = THREAD_CREATE_SUSPENDED True 1
Fn
Suspend c:\windows\explorer.exe os_tid = 0x940 True 1
Fn
Get Context c:\windows\explorer.exe os_tid = 0x940 True 2
Fn
Set Context c:\windows\explorer.exe os_tid = 0x940 True 1
Fn
Resume c:\windows\explorer.exe os_tid = 0x940 True 2
Fn
Memory (9)
+
Operation Process Additional Information Success Count Logfile
Allocate c:\windows\explorer.exe address = 0xff91d2e9a0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1097663179176 True 1
Fn
Protect c:\windows\explorer.exe address = 0x7ffb67629fa0, protection = PAGE_EXECUTE_READWRITE, size = 4 True 2
Fn
Protect c:\windows\explorer.exe address = 0x7ffb67629fa0, protection = PAGE_EXECUTE_READ, size = 4 True 2
Fn
Read c:\windows\explorer.exe address = 0x7ffb67629fa0, size = 4 True 1
Fn
Data
Write c:\windows\explorer.exe address = 0x7ffb67629fa0, size = 4 True 2
Fn
Data
Write c:\windows\explorer.exe address = 0x9130000, size = 792 True 1
Fn
Data
Module (201)
+
Operation Module Additional Information Success Count Logfile
Load ntdll.dll base_address = 0x0 True 1
Fn
Load KERNEL32.dll base_address = 0x0 True 1
Fn
Load OLEAUT32.dll base_address = 0x0 True 1
Fn
Load ADVAPI32.dll base_address = 0x7ffb673a0000 True 1
Fn
Load SHLWAPI.dll base_address = 0x7ffb66b30000 True 1
Fn
Load USER32.dll base_address = 0x7ffb667c0000 True 1
Fn
Load PSAPI.DLL base_address = 0x7ffb66770000 True 1
Fn
Get Handle c:\windows\system32\kernel32.dll base_address = 0x7ffb670d0000 True 6
Fn
Get Handle c:\windows\system32\ntdll.dll base_address = 0x7ffb67620000 True 3
Fn
Get Handle c:\windows\system32\kernelbase.dll base_address = 0x7ffb64a50000 True 1
Fn
Get Handle c:\windows\system32\advapi32.dll base_address = 0x7ffb673a0000 True 2
Fn
Get Filename OLEAUT32.dll process_name = c:\windows\system32\svchost.exe, file_name_orig = C:\Windows\system32\svchost.exe, size = 260 True 1
Fn
Get Filename c:\windows\system32\ntdll.dll process_name = c:\windows\system32\svchost.exe, file_name_orig = C:\Windows\SYSTEM32\ntdll.dll, size = 260 True 3
Fn
Get Address - function = _snprintf, ordinal = 0, address_out = 0xff91d2f830 True 1
Fn
Get Address - function = sprintf, ordinal = 0, address_out = 0xff91d2f830 True 1
Fn
Get Address - function = ZwOpenProcess, ordinal = 0, address_out = 0xff91d2f830 True 1
Fn
Get Address - function = ZwOpenProcessToken, ordinal = 0, address_out = 0xff91d2f830 True 1
Fn
Get Address - function = ZwClose, ordinal = 0, address_out = 0xff91d2f830 True 1
Fn
Get Address - function = ZwQueryInformationToken, ordinal = 0, address_out = 0xff91d2f830 True 1
Fn
Get Address - function = strcpy, ordinal = 0, address_out = 0xff91d2f830 True 1
Fn
Get Address - function = NtQuerySystemInformation, ordinal = 0, address_out = 0xff91d2f830 True 1
Fn
Get Address - function = RtlNtStatusToDosError, ordinal = 0, address_out = 0xff91d2f830 True 1
Fn
Get Address - function = ZwQueryInformationProcess, ordinal = 0, address_out = 0xff91d2f830 True 1
Fn
Get Address - function = memcpy, ordinal = 0, address_out = 0xff91d2f830 True 1
Fn
Get Address - function = NtUnmapViewOfSection, ordinal = 0, address_out = 0xff91d2f830 True 1
Fn
Get Address - function = _wcsupr, ordinal = 0, address_out = 0xff91d2f830 True 1
Fn
Get Address - function = _strupr, ordinal = 0, address_out = 0xff91d2f830 True 1
Fn
Get Address - function = memmove, ordinal = 0, address_out = 0xff91d2f830 True 1
Fn
Get Address - function = memset, ordinal = 0, address_out = 0xff91d2f830 True 1
Fn
Get Address - function = wcscpy, ordinal = 0, address_out = 0xff91d2f830 True 1
Fn
Get Address - function = ZwQueryKey, ordinal = 0, address_out = 0xff91d2f830 True 1
Fn
Get Address - function = RtlUpcaseUnicodeString, ordinal = 0, address_out = 0xff91d2f830 True 1
Fn
Get Address - function = RtlFreeUnicodeString, ordinal = 0, address_out = 0xff91d2f830 True 1
Fn
Get Address - function = wcstombs, ordinal = 0, address_out = 0xff91d2f830 True 1
Fn
Get Address - function = RtlAdjustPrivilege, ordinal = 0, address_out = 0xff91d2f830 True 1
Fn
Get Address - function = mbstowcs, ordinal = 0, address_out = 0xff91d2f830 True 1
Fn
Get Address - function = RtlImageNtHeader, ordinal = 0, address_out = 0xff91d2f830 True 1
Fn
Get Address - function = NtMapViewOfSection, ordinal = 0, address_out = 0xff91d2f830 True 1
Fn
Get Address - function = NtCreateSection, ordinal = 0, address_out = 0xff91d2f830 True 1
Fn
Get Address - function = __C_specific_handler, ordinal = 0, address_out = 0xff91d2f830 True 1
Fn
Get Address - function = __chkstk, ordinal = 0, address_out = 0xff91d2f830 True 1
Fn
Get Address - function = CreateFileMappingA, ordinal = 0, address_out = 0xff91d2f830 True 1
Fn
Get Address - function = SetFilePointerEx, ordinal = 0, address_out = 0xff91d2f830 True 1
Fn
Get Address - function = QueueUserWorkItem, ordinal = 0, address_out = 0xff91d2f830 True 1
Fn
Get Address - function = VirtualProtectEx, ordinal = 0, address_out = 0xff91d2f830 True 1
Fn
Get Address - function = GetComputerNameW, ordinal = 0, address_out = 0xff91d2f830 True 1
Fn
Get Address - function = ExpandEnvironmentStringsA, ordinal = 0, address_out = 0xff91d2f830 True 1
Fn
Get Address - function = FindNextFileA, ordinal = 0, address_out = 0xff91d2f830 True 1
Fn
Get Address - function = CompareFileTime, ordinal = 0, address_out = 0xff91d2f830 True 1
Fn
Get Address - function = FindFirstFileA, ordinal = 0, address_out = 0xff91d2f830 True 1
Fn
Get Address - function = GetFileTime, ordinal = 0, address_out = 0xff91d2f830 True 1
Fn
Get Address - function = GetCurrentProcessId, ordinal = 0, address_out = 0xff91d2f830 True 1
Fn
Get Address - function = QueryPerformanceCounter, ordinal = 0, address_out = 0xff91d2f830 True 1
Fn
Get Address - function = GetModuleFileNameA, ordinal = 0, address_out = 0xff91d2f830 True 1
Fn
Get Address - function = CreateDirectoryA, ordinal = 0, address_out = 0xff91d2f830 True 1
Fn
Get Address - function = GetLastError, ordinal = 0, address_out = 0xff91d2f830 True 1
Fn
Get Address - function = HeapFree, ordinal = 0, address_out = 0xff91d2f830 True 1
Fn
Get Address - function = RemoveDirectoryA, ordinal = 0, address_out = 0xff91d2f830 True 1
Fn
Get Address - function = CloseHandle, ordinal = 0, address_out = 0xff91d2f830 True 1
Fn
Get Address - function = LoadLibraryA, ordinal = 0, address_out = 0xff91d2f830 True 1
Fn
Get Address - function = CreateFileA, ordinal = 0, address_out = 0xff91d2f830 True 1
Fn
Get Address - function = DeleteFileA, ordinal = 0, address_out = 0xff91d2f830 True 1
Fn
Get Address - function = lstrcpyA, ordinal = 0, address_out = 0xff91d2f830 True 1
Fn
Get Address - function = lstrlenA, ordinal = 0, address_out = 0xff91d2f830 True 1
Fn
Get Address - function = lstrcatA, ordinal = 0, address_out = 0xff91d2f830 True 1
Fn
Get Address - function = WriteFile, ordinal = 0, address_out = 0xff91d2f830 True 1
Fn
Get Address - function = HeapAlloc, ordinal = 0, address_out = 0xff91d2f830 True 1
Fn
Get Address - function = HeapDestroy, ordinal = 0, address_out = 0xff91d2f830 True 1
Fn
Get Address - function = HeapCreate, ordinal = 0, address_out = 0xff91d2f830 True 1
Fn
Get Address - function = SetEvent, ordinal = 0, address_out = 0xff91d2f830 True 1
Fn
Get Address - function = HeapReAlloc, ordinal = 0, address_out = 0xff91d2f830 True 1
Fn
Get Address - function = GetSystemTimeAsFileTime, ordinal = 0, address_out = 0xff91d2f830 True 1
Fn
Get Address - function = WaitForSingleObject, ordinal = 0, address_out = 0xff91d2f830 True 1
Fn
Get Address - function = SuspendThread, ordinal = 0, address_out = 0xff91d2f830 True 1
Fn
Get Address - function = OpenProcess, ordinal = 0, address_out = 0xff91d2f830 True 1
Fn
Get Address - function = ResumeThread, ordinal = 0, address_out = 0xff91d2f830 True 1
Fn
Get Address - function = lstrcpyW, ordinal = 0, address_out = 0xff91d2f830 True 1
Fn
Get Address - function = lstrcmpiW, ordinal = 0, address_out = 0xff91d2f830 True 1
Fn
Get Address - function = GetModuleHandleA, ordinal = 0, address_out = 0xff91d2f830 True 1
Fn
Get Address - function = CreateThread, ordinal = 0, address_out = 0xff91d2f830 True 1
Fn
Get Address - function = CreateFileW, ordinal = 0, address_out = 0xff91d2f830 True 1
Fn
Get Address - function = SwitchToThread, ordinal = 0, address_out = 0xff91d2f830 True 1
Fn
Get Address - function = lstrcatW, ordinal = 0, address_out = 0xff91d2f830 True 1
Fn
Get Address - function = Sleep, ordinal = 0, address_out = 0xff91d2f830 True 1
Fn
Get Address - function = GetTickCount, ordinal = 0, address_out = 0xff91d2f830 True 1
Fn
Get Address - function = SetWaitableTimer, ordinal = 0, address_out = 0xff91d2f830 True 1
Fn
Get Address - function = CopyFileW, ordinal = 0, address_out = 0xff91d2f830 True 1
Fn
Get Address - function = GetCurrentThreadId, ordinal = 0, address_out = 0xff91d2f830 True 1
Fn
Get Address - function = GetCurrentThread, ordinal = 0, address_out = 0xff91d2f830 True 1
Fn
Get Address - function = DuplicateHandle, ordinal = 0, address_out = 0xff91d2f830 True 1
Fn
Get Address - function = lstrlenW, ordinal = 0, address_out = 0xff91d2f830 True 1
Fn
Get Address - function = CreateEventA, ordinal = 0, address_out = 0xff91d2f830 True 1
Fn
Get Address - function = GetWindowsDirectoryA, ordinal = 0, address_out = 0xff91d2f830 True 1
Fn
Get Address - function = DeleteFileW, ordinal = 0, address_out = 0xff91d2f830 True 1
Fn
Get Address - function = CreateDirectoryW, ordinal = 0, address_out = 0xff91d2f830 True 1
Fn
Get Address - function = GetTempPathA, ordinal = 0, address_out = 0xff91d2f830 True 1
Fn
Get Address - function = lstrcmpiA, ordinal = 0, address_out = 0xff91d2f830 True 1
Fn
Get Address - function = WaitForMultipleObjects, ordinal = 0, address_out = 0xff91d2f830 True 1
Fn
Get Address - function = lstrcmpA, ordinal = 0, address_out = 0xff91d2f830 True 1
Fn
Get Address - function = ResetEvent, ordinal = 0, address_out = 0xff91d2f830 True 1
Fn
Get Address - function = CreateMutexA, ordinal = 0, address_out = 0xff91d2f830 True 1
Fn
Get Address - function = OpenWaitableTimerA, ordinal = 0, address_out = 0xff91d2f830 True 1
Fn
Get Address - function = MapViewOfFile, ordinal = 0, address_out = 0xff91d2f830 True 1
Fn
Get Address - function = OpenMutexA, ordinal = 0, address_out = 0xff91d2f830 True 1
Fn
Get Address - function = UnmapViewOfFile, ordinal = 0, address_out = 0xff91d2f830 True 1
Fn
Get Address - function = ReleaseMutex, ordinal = 0, address_out = 0xff91d2f830 True 1
Fn
Get Address - function = GetVersionExA, ordinal = 0, address_out = 0xff91d2f830 True 1
Fn
Get Address - function = CreateWaitableTimerA, ordinal = 0, address_out = 0xff91d2f830 True 1
Fn
Get Address - function = SetLastError, ordinal = 0, address_out = 0xff91d2f830 True 1
Fn
Get Address - function = InitializeCriticalSection, ordinal = 0, address_out = 0xff91d2f830 True 1
Fn
Get Address - function = EnterCriticalSection, ordinal = 0, address_out = 0xff91d2f830 True 1
Fn
Get Address - function = LeaveCriticalSection, ordinal = 0, address_out = 0xff91d2f830 True 1
Fn
Get Address - function = VirtualAlloc, ordinal = 0, address_out = 0xff91d2f830 True 1
Fn
Get Address - function = UnregisterWait, ordinal = 0, address_out = 0xff91d2f830 True 1
Fn
Get Address - function = VirtualProtect, ordinal = 0, address_out = 0xff91d2f830 True 1
Fn
Get Address - function = RegisterWaitForSingleObject, ordinal = 0, address_out = 0xff91d2f830 True 1
Fn
Get Address - function = TlsAlloc, ordinal = 0, address_out = 0xff91d2f830 True 1
Fn
Get Address - function = TlsGetValue, ordinal = 0, address_out = 0xff91d2f830 True 1
Fn
Get Address - function = LoadLibraryExW, ordinal = 0, address_out = 0xff91d2f830 True 1
Fn
Get Address - function = TlsSetValue, ordinal = 0, address_out = 0xff91d2f830 True 1
Fn
Get Address - function = GetProcAddress, ordinal = 0, address_out = 0xff91d2f830 True 1
Fn
Get Address - function = GetDriveTypeW, ordinal = 0, address_out = 0xff91d2f830 True 1
Fn
Get Address - function = WideCharToMultiByte, ordinal = 0, address_out = 0xff91d2f830 True 1
Fn
Get Address - function = GetLogicalDriveStringsW, ordinal = 0, address_out = 0xff91d2f830 True 1
Fn
Get Address - function = OpenFileMappingA, ordinal = 0, address_out = 0xff91d2f830 True 1
Fn
Get Address - function = GetExitCodeProcess, ordinal = 0, address_out = 0xff91d2f830 True 1
Fn
Get Address - function = LocalFree, ordinal = 0, address_out = 0xff91d2f830 True 1
Fn
Get Address - function = CreateProcessA, ordinal = 0, address_out = 0xff91d2f830 True 1
Fn
Get Address - function = GetFileSize, ordinal = 0, address_out = 0xff91d2f830 True 1
Fn
Get Address - function = lstrcpynA, ordinal = 0, address_out = 0xff91d2f830 True 1
Fn
Get Address - function = Thread32First, ordinal = 0, address_out = 0xff91d2f830 True 1
Fn
Get Address - function = CreateToolhelp32Snapshot, ordinal = 0, address_out = 0xff91d2f830 True 1
Fn
Get Address - function = QueueUserAPC, ordinal = 0, address_out = 0xff91d2f830 True 1
Fn
Get Address - function = OpenThread, ordinal = 0, address_out = 0xff91d2f830 True 1
Fn
Get Address - function = Thread32Next, ordinal = 0, address_out = 0xff91d2f830 True 1
Fn
Get Address - function = ConnectNamedPipe, ordinal = 0, address_out = 0xff91d2f830 True 1
Fn
Get Address - function = GetOverlappedResult, ordinal = 0, address_out = 0xff91d2f830 True 1
Fn
Get Address - function = CancelIo, ordinal = 0, address_out = 0xff91d2f830 True 1
Fn
Get Address - function = DisconnectNamedPipe, ordinal = 0, address_out = 0xff91d2f830 True 1
Fn
Get Address - function = FlushFileBuffers, ordinal = 0, address_out = 0xff91d2f830 True 1
Fn
Get Address - function = CallNamedPipeA, ordinal = 0, address_out = 0xff91d2f830 True 1
Fn
Get Address - function = CreateNamedPipeA, ordinal = 0, address_out = 0xff91d2f830 True 1
Fn
Get Address - function = GetSystemTime, ordinal = 0, address_out = 0xff91d2f830 True 1
Fn
Get Address - function = WaitNamedPipeA, ordinal = 0, address_out = 0xff91d2f830 True 1
Fn
Get Address - function = ReadFile, ordinal = 0, address_out = 0xff91d2f830 True 1
Fn
Get Address - function = SleepEx, ordinal = 0, address_out = 0xff91d2f830 True 1
Fn
Get Address - function = AddVectoredExceptionHandler, ordinal = 0, address_out = 0xff91d2f830 True 1
Fn
Get Address - function = RemoveVectoredExceptionHandler, ordinal = 0, address_out = 0xff91d2f830 True 1
Fn
Get Address - function = OpenEventA, ordinal = 0, address_out = 0xff91d2f830 True 1
Fn
Get Address - function = LocalAlloc, ordinal = 0, address_out = 0xff91d2f830 True 1
Fn
Get Address - function = FreeLibrary, ordinal = 0, address_out = 0xff91d2f830 True 1
Fn
Get Address - function = RaiseException, ordinal = 0, address_out = 0xff91d2f830 True 1
Fn
Get Address - function = VirtualFree, ordinal = 0, address_out = 0xff91d2f830 True 1
Fn
Get Address - function = GetModuleFileNameW, ordinal = 0, address_out = 0xff91d2f830 True 1
Fn
Get Address - function = GetVersion, ordinal = 0, address_out = 0xff91d2f830 True 1
Fn
Get Address - function = GetLocalTime, ordinal = 0, address_out = 0xff91d2f830 True 1
Fn
Get Address - function = QueryPerformanceFrequency, ordinal = 0, address_out = 0xff91d2f830 True 1
Fn
Get Address - function = DeleteCriticalSection, ordinal = 0, address_out = 0xff91d2f830 True 1
Fn
Get Address - function = GetTempFileNameA, ordinal = 0, address_out = 0xff91d2f830 True 1
Fn
Get Address - function = FindNextFileW, ordinal = 0, address_out = 0xff91d2f830 True 1
Fn
Get Address - function = SetEndOfFile, ordinal = 0, address_out = 0xff91d2f830 True 1
Fn
Get Address - function = SetFilePointer, ordinal = 0, address_out = 0xff91d2f830 True 1
Fn
Get Address - function = FindFirstFileW, ordinal = 0, address_out = 0xff91d2f830 True 1
Fn
Get Address - function = RemoveDirectoryW, ordinal = 0, address_out = 0xff91d2f830 True 1
Fn
Get Address - function = GetFileAttributesW, ordinal = 0, address_out = 0xff91d2f830 True 1
Fn
Get Address - function = ExpandEnvironmentStringsW, ordinal = 0, address_out = 0xff91d2f830 True 1
Fn
Get Address - function = FindClose, ordinal = 0, address_out = 0xff91d2f830 True 1
Fn
Get Address - function = 0, ordinal = 9, address_out = 0xff91d2f830 True 1
Fn
Get Address - function = 0, ordinal = 6, address_out = 0xff91d2f830 True 1
Fn
Get Address - function = 0, ordinal = 2, address_out = 0xff91d2f830 True 1
Fn
Get Address - function = 0, ordinal = 8, address_out = 0xff91d2f830 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = IsWow64Process, address_out = 0x7ffb670ee960 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = ConvertStringSecurityDescriptorToSecurityDescriptorA, address_out = 0x7ffb673bd610 True 1
Fn
Get Address c:\windows\system32\shlwapi.dll function = StrRChrA, address_out = 0x7ffb66b44dd0 True 1
Fn
Get Address c:\windows\system32\user32.dll function = wsprintfA, address_out = 0x7ffb667e2610 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = GetUserNameA, address_out = 0x7ffb673cec40 True 1
Fn
Get Address c:\windows\system32\psapi.dll function = EnumProcessModules, address_out = 0x7ffb66771040 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegOpenKeyA, address_out = 0x7ffb673bb9e0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegQueryValueExA, address_out = 0x7ffb673b7dd0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegCloseKey, address_out = 0x7ffb673b72e0 True 1
Fn
Get Address c:\windows\system32\shlwapi.dll function = StrToIntExA, address_out = 0x7ffb66b44e70 True 1
Fn
Get Address c:\windows\system32\shlwapi.dll function = StrChrA, address_out = 0x7ffb66b44cc0 True 1
Fn
Get Address c:\windows\system32\shlwapi.dll function = StrTrimA, address_out = 0x7ffb66b44e80 True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetShellWindow, address_out = 0x7ffb667e4060 True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetWindowThreadProcessId, address_out = 0x7ffb667d4040 True 1
Fn
Get Address c:\windows\system32\ntdll.dll function = RtlExitUserThread, address_out = 0x7ffb67629fa0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateRemoteThread, address_out = 0x7ffb671126d0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegCreateKeyA, address_out = 0x7ffb673e6dc0 True 1
Fn
Create Mapping - protection = PAGE_EXECUTE_READWRITE, maximum_size = 1097663180608 True 1
Fn
Map - process_name = c:\windows\system32\svchost.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0xff92000000 True 1
Fn
Map - process_name = c:\windows\explorer.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x9090000 True 1
Fn
System (4)
+
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2017-12-11 05:44:38 (UTC) True 2
Fn
Get Info type = Operating System True 2
Fn
Mutex (1)
+
Operation Additional Information Success Count Logfile
Create mutex_name = {BF4FAD76-121A-4972-1463-668D8847FA11} True 1
Fn
Process #19: explorer.exe
(Host: 572, Network: 804)
+
Information Value
ID #19
File Name c:\windows\explorer.exe
Command Line C:\Windows\Explorer.EXE
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:02:03, Reason: Injection
Unmonitor End Time: 00:02:20, Reason: Terminated by Timeout
Monitor Duration 00:00:17
OS Process Information
+
Information Value
PID 0x2b4
Parent PID 0x478 (c:\windows\system32\userinit.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username LHNIWSJ\CIiHmnxMn6Ps
Groups
  • LHNIWSJ\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Local account and member of Administrators group (USE_FOR_DENY_ONLY)
  • BUILTIN\Administrators (USE_FOR_DENY_ONLY)
  • BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Local account (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Logon Session 00000000:00018798 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID)
  • LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 7A8
0x 7AC
0x 750
0x 87C
0x BEC
0x BE8
0x BE0
0x BDC
0x BD8
0x BA0
0x B9C
0x B88
0x B84
0x A74
0x A6C
0x A68
0x A64
0x A50
0x A40
0x A38
0x A30
0x A2C
0x A28
0x A1C
0x 9F8
0x 9C4
0x 9B0
0x 994
0x 990
0x 958
0x 954
0x 94C
0x 944
0x 938
0x 92C
0x 928
0x 91C
0x 900
0x 8FC
0x 8F4
0x 8EC
0x 8E4
0x 8E0
0x 8D4
0x 8D0
0x 8CC
0x 8C8
0x 8C4
0x 8C0
0x 8BC
0x 8B4
0x 8B0
0x 8A8
0x 88C
0x 85C
0x 834
0x 808
0x 804
0x 6E8
0x 414
0x 418
0x 748
0x 74C
0x 73C
0x 710
0x 484
0x 480
0x 650
0x 62C
0x 5E4
0x 57C
0x 5D0
0x 608
0x 588
0x 4F0
0x 940
0x 654
0x 9E4
0x 82C
0x 9CC
0x B30
0x 7B4
0x 7DC
Region
+
Name Start VA End VA Type Permissions Monitored Dump YARA Match Actions
pagefile_0x0000000000170000 0x00170000 0x0017ffff Pagefile Backed Memory Readable, Writable True False False
private_0x0000000000180000 0x00180000 0x00186fff Private Memory Readable, Writable True False False
pagefile_0x0000000000190000 0x00190000 0x001a3fff Pagefile Backed Memory Readable True False False
private_0x00000000001b0000 0x001b0000 0x0022ffff Private Memory Readable, Writable True False False
pagefile_0x0000000000230000 0x00230000 0x00233fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000240000 0x00240000 0x00242fff Pagefile Backed Memory Readable True False False
private_0x0000000000250000 0x00250000 0x00251fff Private Memory Readable, Writable True False False
locale.nls 0x00260000 0x0031dfff Memory Mapped File Readable False False False
private_0x0000000000320000 0x00320000 0x0039ffff Private Memory Readable, Writable True False False
private_0x00000000003a0000 0x003a0000 0x003a6fff Private Memory Readable, Writable True False False
private_0x00000000003b0000 0x003b0000 0x004affff Private Memory Readable, Writable True False False
explorer.exe.mui 0x004b0000 0x004b7fff Memory Mapped File Readable False False False
private_0x00000000004c0000 0x004c0000 0x004c0fff Private Memory Readable, Writable True False False
private_0x00000000004d0000 0x004d0000 0x004d0fff Private Memory Readable, Writable True False False
pagefile_0x00000000004e0000 0x004e0000 0x004e0fff Pagefile Backed Memory Readable, Writable True False False
pagefile_0x00000000004f0000 0x004f0000 0x004f0fff Pagefile Backed Memory Readable, Writable True False False
pagefile_0x0000000000500000 0x00500000 0x00500fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000510000 0x00510000 0x00510fff Pagefile Backed Memory Readable True False False
cversions.1.db 0x00520000 0x00523fff Memory Mapped File Readable True False False
{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000012.db 0x00530000 0x00551fff Memory Mapped File Readable True False False
pagefile_0x0000000000560000 0x00560000 0x00560fff Pagefile Backed Memory Readable, Writable True False False
private_0x0000000000570000 0x00570000 0x0057ffff Private Memory Readable, Writable True False False
pagefile_0x0000000000580000 0x00580000 0x00707fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000710000 0x00710000 0x00890fff Pagefile Backed Memory Readable True False False
pagefile_0x00000000008a0000 0x008a0000 0x01c9ffff Pagefile Backed Memory Readable True False False
private_0x0000000001ca0000 0x01ca0000 0x01d1ffff Private Memory Readable, Writable True False False
{3da71d5a-20cc-432f-a115-dfe92379e91f}.1.ver0x0000000000000031.db 0x01d20000 0x01d3afff Memory Mapped File Readable True False False
private_0x0000000001d40000 0x01d40000 0x01d4ffff Private Memory Readable, Writable True False False
sortdefault.nls 0x01d50000 0x02086fff Memory Mapped File Readable False False False
private_0x0000000002090000 0x02090000 0x0210ffff Private Memory Readable, Writable True False False
private_0x0000000002110000 0x02110000 0x0218ffff Private Memory Readable, Writable True False False
private_0x0000000002190000 0x02190000 0x0220ffff Private Memory Readable, Writable True False False
shell32.dll.mui 0x02210000 0x02270fff Memory Mapped File Readable False False False
pagefile_0x0000000002280000 0x02280000 0x02282fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000002290000 0x02290000 0x02292fff Pagefile Backed Memory Readable True False False
pagefile_0x00000000022a0000 0x022a0000 0x022c9fff Pagefile Backed Memory Readable, Writable True False False
kernelbase.dll.mui 0x022d0000 0x023aefff Memory Mapped File Readable False False False
private_0x00000000023b0000 0x023b0000 0x0242ffff Private Memory Readable, Writable True False False
private_0x0000000002430000 0x02430000 0x024affff Private Memory Readable, Writable True False False
private_0x00000000024b0000 0x024b0000 0x0252ffff Private Memory Readable, Writable True False False
pagefile_0x0000000002530000 0x02530000 0x02531fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000002540000 0x02540000 0x02541fff Pagefile Backed Memory Readable True False False
oleaccrc.dll 0x02550000 0x02551fff Memory Mapped File Readable False False False
oleaccrc.dll.mui 0x02560000 0x02564fff Memory Mapped File Readable False False False
pagefile_0x0000000002570000 0x02570000 0x02627fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000002630000 0x02630000 0x02633fff Pagefile Backed Memory Readable True False False
private_0x0000000002640000 0x02640000 0x0273ffff Private Memory Readable, Writable True False False
private_0x0000000002740000 0x02740000 0x0283ffff Private Memory Readable, Writable True False False
private_0x0000000002840000 0x02840000 0x02846fff Private Memory Readable, Writable True False False
pagefile_0x0000000002850000 0x02850000 0x02852fff Pagefile Backed Memory Readable True False False
staticcache.dat 0x02860000 0x0389ffff Memory Mapped File Readable False False False
private_0x00000000038a0000 0x038a0000 0x038a0fff Private Memory Readable, Writable True False False
private_0x00000000038b0000 0x038b0000 0x038b0fff Private Memory Readable, Writable True False False
private_0x00000000038c0000 0x038c0000 0x038c0fff Private Memory Readable, Writable True False False
pagefile_0x00000000038d0000 0x038d0000 0x038d2fff Pagefile Backed Memory Readable True False False
private_0x00000000038e0000 0x038e0000 0x0395ffff Private Memory Readable, Writable True False False
private_0x0000000003960000 0x03960000 0x03961fff Private Memory Readable, Writable True False False
private_0x0000000003970000 0x03970000 0x03970fff Private Memory Readable, Writable True False False
private_0x0000000003980000 0x03980000 0x03980fff Private Memory Readable, Writable True False False
private_0x0000000003990000 0x03990000 0x03990fff Private Memory Readable, Writable True False False
private_0x00000000039a0000 0x039a0000 0x039a0fff Private Memory Readable, Writable True False False
pagefile_0x00000000039b0000 0x039b0000 0x039bffff Pagefile Backed Memory Readable, Writable True False False
pagefile_0x00000000039c0000 0x039c0000 0x039cffff Pagefile Backed Memory Readable, Writable True False False
pagefile_0x00000000039d0000 0x039d0000 0x039dffff Pagefile Backed Memory Readable, Writable True False False
private_0x00000000039e0000 0x039e0000 0x039e0fff Private Memory Readable, Writable True False False
private_0x00000000039f0000 0x039f0000 0x039f0fff Private Memory Readable, Writable True False False
private_0x0000000003a00000 0x03a00000 0x03a00fff Private Memory Readable, Writable True False False
cversions.1.db 0x03a10000 0x03a13fff Memory Mapped File Readable True False False
private_0x0000000003a20000 0x03a20000 0x03a20fff Private Memory Readable, Writable True False False
pagefile_0x0000000003a30000 0x03a30000 0x03a30fff Pagefile Backed Memory Readable, Writable True False False
private_0x0000000003a40000 0x03a40000 0x03a40fff Private Memory Readable, Writable True False False
pagefile_0x0000000003a50000 0x03a50000 0x03a52fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000003a60000 0x03a60000 0x03a98fff Pagefile Backed Memory Readable, Writable True False False
private_0x0000000003aa0000 0x03aa0000 0x03aa0fff Private Memory Readable, Writable True False False
private_0x0000000003ab0000 0x03ab0000 0x03ab0fff Private Memory Readable, Writable True False False
pagefile_0x0000000003ac0000 0x03ac0000 0x03ac2fff Pagefile Backed Memory Readable True False False
stobject.dll.mui 0x03ad0000 0x03ad1fff Memory Mapped File Readable False False False
pagefile_0x0000000003ae0000 0x03ae0000 0x03ae2fff Pagefile Backed Memory Readable True False False
inputswitch.dll.mui 0x03af0000 0x03af1fff Memory Mapped File Readable False False False
private_0x0000000003b00000 0x03b00000 0x03b00fff Private Memory Readable, Writable True False False
pagefile_0x0000000003b10000 0x03b10000 0x03b12fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000003b20000 0x03b20000 0x03b21fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000003b30000 0x03b30000 0x03b32fff Pagefile Backed Memory Readable True False False
cversions.2.db 0x03b40000 0x03b43fff Memory Mapped File Readable True False False
{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000007.db 0x03b50000 0x03b92fff Memory Mapped File Readable True False False
cversions.2.db 0x03ba0000 0x03ba3fff Memory Mapped File Readable True False False
{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db 0x03bb0000 0x03c3afff Memory Mapped File Readable True False False
propsys.dll.mui 0x03c40000 0x03c50fff Memory Mapped File Readable False False False
private_0x0000000003c60000 0x03c60000 0x03cdffff Private Memory Readable, Writable True False False
private_0x0000000003ce0000 0x03ce0000 0x03d5ffff Private Memory Readable, Writable True False False
private_0x0000000003d60000 0x03d60000 0x03ddffff Private Memory Readable, Writable True False False
private_0x0000000003de0000 0x03de0000 0x03e5ffff Private Memory Readable, Writable True False False
private_0x0000000003e60000 0x03e60000 0x03e60fff Private Memory Readable, Writable True False False
private_0x0000000003e70000 0x03e70000 0x03eeffff Private Memory Readable, Writable True False False
private_0x0000000003ef0000 0x03ef0000 0x03f6ffff Private Memory Readable, Writable True False False
pagefile_0x0000000003f70000 0x03f70000 0x04461fff Pagefile Backed Memory Readable, Writable True False False
private_0x0000000004470000 0x04470000 0x044effff Private Memory Readable, Writable True False False
private_0x00000000044f0000 0x044f0000 0x0456ffff Private Memory Readable, Writable True False False
private_0x0000000004570000 0x04570000 0x045effff Private Memory Readable, Writable True False False
private_0x00000000045f0000 0x045f0000 0x0466ffff Private Memory Readable, Writable True False False
private_0x0000000004670000 0x04670000 0x046effff Private Memory Readable, Writable True False False
iconcache_idx.db 0x046f0000 0x046f1fff Memory Mapped File Readable, Writable True False False
iconcache_256.db 0x04700000 0x04700fff Memory Mapped File Readable, Writable True False False
winnlsres.dll 0x04710000 0x04714fff Memory Mapped File Readable False False False
private_0x0000000004720000 0x04720000 0x0479ffff Private Memory Readable, Writable True False False
pagefile_0x00000000047a0000 0x047a0000 0x047a0fff Pagefile Backed Memory Readable, Writable True False False
private_0x00000000047b0000 0x047b0000 0x047b0fff Private Memory Readable, Writable True False False
private_0x00000000047c0000 0x047c0000 0x047c0fff Private Memory Readable, Writable True False False
private_0x00000000047d0000 0x047d0000 0x0484ffff Private Memory Readable, Writable True False False
pagefile_0x0000000004850000 0x04850000 0x04851fff Pagefile Backed Memory Readable, Writable True False False
private_0x0000000004860000 0x04860000 0x048dffff Private Memory Readable, Writable True False False
private_0x00000000048e0000 0x048e0000 0x0495ffff Private Memory Readable, Writable True False False
iconcache_idx.db 0x04960000 0x04961fff Memory Mapped File Readable, Writable True False False
private_0x0000000004970000 0x04970000 0x04a6ffff Private Memory Readable, Writable True False False
winnlsres.dll.mui 0x04a70000 0x04a7ffff Memory Mapped File Readable False False False
mswsock.dll.mui 0x04a80000 0x04a82fff Memory Mapped File Readable False False False
imageres.dll.mui 0x04a90000 0x04a90fff Memory Mapped File Readable False False False
private_0x0000000004aa0000 0x04aa0000 0x04aa8fff Private Memory Readable, Writable True False False
private_0x0000000004ab0000 0x04ab0000 0x04ab3fff Private Memory Readable, Writable True False False
thumbcache_idx.db 0x04ac0000 0x04ac1fff Memory Mapped File Readable, Writable True False False
netmsg.dll 0x04ad0000 0x04ad0fff Memory Mapped File Readable False False False
private_0x0000000004ae0000 0x04ae0000 0x04ae8fff Private Memory Readable, Writable True False False
private_0x0000000004af0000 0x04af0000 0x04af0fff Private Memory Readable, Writable True False False
private_0x0000000004b00000 0x04b00000 0x04b7ffff Private Memory Readable, Writable True False False
private_0x0000000004b80000 0x04b80000 0x04bfffff Private Memory Readable, Writable True False False
pagefile_0x0000000004c00000 0x04c00000 0x04c02fff Pagefile Backed Memory Readable True False False
private_0x0000000004c10000 0x04c10000 0x04c57fff Private Memory Readable, Writable True False False
private_0x0000000004c60000 0x04c60000 0x04ca7fff Private Memory Readable, Writable True False False
private_0x0000000004cb0000 0x04cb0000 0x04d2ffff Private Memory Readable, Writable True False False
private_0x0000000004d30000 0x04d30000 0x0552ffff Private Memory - True False False
thumbcache_48.db 0x05530000 0x0562ffff Memory Mapped File Readable, Writable True False False
netmsg.dll.mui 0x05630000 0x05661fff Memory Mapped File Readable False False False
private_0x0000000005670000 0x05670000 0x056effff Private Memory Readable, Writable True False False
iconcache_idx.db 0x056f0000 0x056f1fff Memory Mapped File Readable, Writable True False False
iconcache_48.db 0x05700000 0x057fffff Memory Mapped File Readable, Writable True False False
private_0x0000000005800000 0x05800000 0x0587ffff Private Memory Readable, Writable True False False
private_0x0000000005880000 0x05880000 0x058fffff Private Memory Readable, Writable True False False
thumbcache_idx.db 0x05900000 0x05901fff Memory Mapped File Readable, Writable True False False
thumbcache_48.db 0x05910000 0x05a0ffff Memory Mapped File Readable, Writable True False False
thumbcache_idx.db 0x05a10000 0x05a11fff Memory Mapped File Readable, Writable True False False
private_0x0000000005a20000 0x05a20000 0x05a68fff Private Memory Readable, Writable True False False
cversions.2.db 0x05a70000 0x05a73fff Memory Mapped File Readable True False False
sndvolsso.dll.mui 0x05a80000 0x05a81fff Memory Mapped File Readable False False False
pagefile_0x0000000005a90000 0x05a90000 0x05a92fff Pagefile Backed Memory Readable True False False
private_0x0000000005aa0000 0x05aa0000 0x05aa0fff Private Memory Readable, Writable True False False
pagefile_0x0000000005ab0000 0x05ab0000 0x05ab1fff Pagefile Backed Memory Readable True False False
private_0x0000000005ac0000 0x05ac0000 0x05ac0fff Private Memory Readable, Writable True False False
private_0x0000000005ad0000 0x05ad0000 0x05b4ffff Private Memory Readable, Writable True False False
windows.storage.dll.mui 0x05b50000 0x05b57fff Memory Mapped File Readable False False False
pagefile_0x0000000005b60000 0x05b60000 0x05b62fff Pagefile Backed Memory Readable True False False
For performance reasons, the remaining 787 entries are omitted.
The remaining entries can be found in flog.txt.
Injection Information
+
Injection Type Source Process Source Os Thread ID Injection Info Success Count Logfile
Create Remote Thread #18: c:\windows\system32\svchost.exe 0x904 address = 0x7ffb67629fa0 True 1
Fn
Modify Memory #18: c:\windows\system32\svchost.exe 0x904 address = 0x7ffb67629fa0, size = 4 True 2
Fn
Data
Modify Memory #18: c:\windows\system32\svchost.exe 0x904 address = 0x9090000, size = 598016 True 1
Fn
Modify Memory #18: c:\windows\system32\svchost.exe 0x904 address = 0x9130000, size = 792 True 1
Fn
Data
Modify Control Flow #18: c:\windows\system32\svchost.exe 0x904 os_tid = 0x940, address = 0x0 True 1
Fn
Host Behavior
File (19)
+
Operation Filename Additional Information Success Count Logfile
Create C:\Windows\system32\c_1252.nls desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 3
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Amsisigd\Chakmcat.exe desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\prefs.js desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\prefs.js desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Windows\SYSTEM32\ntdll.dll desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 3
Fn
Create Pipe pipe\{d0964750-ef7b-8278-f904-93d63d78776a} open_mode = PIPE_ACCESS_INBOUND, PIPE_ACCESS_OUTBOUND, FILE_FLAG_OVERLAPPED, pipe_mode = PIPE_TYPE_MESSAGE, max_instances = 255 True 1
Fn
Get Info C:\Windows\system32\c_1252.nls type = time True 1
Fn
Get Info C:\Windows\system32\c_1252.nls type = time True 1
Fn
Get Info C:\Windows\system32\c_1252.nls type = time True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\prefs.js type = size True 1
Fn
Read C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\prefs.js size = 11513, size_out = 11513 True 1
Fn
Data
Read C:\Windows\SYSTEM32\ntdll.dll size = 4, size_out = 4 True 3
Fn
Data
Write C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\prefs.js size = 48 True 1
Fn
Data
Registry (13)
+
Operation Key Additional Information Success Count Logfile
Create Key HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\07430283-BA24-D1EC-FC2B-8E95F08FA299 - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\07430283-BA24-D1EC-FC2B-8E95F08FA299 - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run - True 1
Fn
Open Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\07430283-BA24-D1EC-FC2B-8E95F08FA299 - True 1
Fn
Read Value HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\07430283-BA24-D1EC-FC2B-8E95F08FA299 value_name = Ini, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\07430283-BA24-D1EC-FC2B-8E95F08FA299 value_name = Client, type = REG_BINARY True 1
Fn
Data
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run value_name = Accocca, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run value_name = Accocca, data = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Amsisigd\Chakmcat.exe, type = REG_SZ True 1
Fn
Read Value HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\07430283-BA24-D1EC-FC2B-8E95F08FA299 value_name = {C2A3A3DE-3990-44FC-D316-7DB8B7AA016C}, type = REG_BINARY True 2
Fn
Data
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings value_name = ProxySettingsPerUser False 1
Fn
Write Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings value_name = EnableSPDY3_0, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Process (263)
+
Operation Process Additional Information Success Count Logfile
Get Info c:\windows\explorer.exe type = PROCESS_BASIC_INFORMATION True 261
Fn
Open c:\windows\system32\runtimebroker.exe desired_access = PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\windows\system32\runtimebroker.exe desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_SET_SESSIONID, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_DUP_HANDLE, PROCESS_CREATE_PROCESS, PROCESS_SET_QUOTA, PROCESS_SET_INFORMATION, PROCESS_QUERY_INFORMATION, PROCESS_SUSPEND_RESUME, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE True 1
Fn
Thread (7)
+
Operation Process Additional Information Success Count Logfile
Create c:\windows\system32\runtimebroker.exe proc_address = 0x7ffb67629fa0, proc_parameter = 0, flags = THREAD_CREATE_SUSPENDED True 1
Fn
Suspend c:\windows\system32\runtimebroker.exe os_tid = 0xb2c True 1
Fn
Get Context c:\windows\system32\runtimebroker.exe os_tid = 0xb2c True 2
Fn
Set Context c:\windows\system32\runtimebroker.exe os_tid = 0xb2c True 1
Fn
Resume - os_tid = 0xb2c True 1
Fn
Resume c:\windows\system32\runtimebroker.exe os_tid = 0xb2c True 1
Fn
Memory (8)
+
Operation Process Additional Information Success Count Logfile
Protect c:\windows\system32\runtimebroker.exe address = 0x7ffb67629fa0, protection = PAGE_EXECUTE_READWRITE, size = 4 True 2
Fn
Protect c:\windows\system32\runtimebroker.exe address = 0x7ffb67629fa0, protection = PAGE_EXECUTE_READ, size = 4 True 2
Fn
Read c:\windows\system32\runtimebroker.exe address = 0x7ffb67629fa0, size = 4 True 1
Fn
Data
Write c:\windows\system32\runtimebroker.exe address = 0x7ffb67629fa0, size = 4 True 2
Fn
Data
Write c:\windows\system32\runtimebroker.exe address = 0xfa398d0000, size = 792 True 1
Fn
Data
Module (235)
+
Operation Module Additional Information Success Count Logfile
Load ntdll.dll base_address = 0x0 True 1
Fn
Load KERNEL32.dll base_address = 0x0 True 1
Fn
Load OLEAUT32.dll base_address = 0x0 True 1
Fn
Load ADVAPI32.dll base_address = 0x7ffb673a0000 True 1
Fn
Load SHLWAPI.dll base_address = 0x7ffb66b30000 True 1
Fn
Load USER32.dll base_address = 0x7ffb667c0000 True 1
Fn
Load PSAPI.DLL base_address = 0x7ffb66770000 True 1
Fn
Load ole32.dll base_address = 0x7ffb66e70000 True 1
Fn
Load ADVAPI32.DLL base_address = 0x7ffb673a0000 True 1
Fn
Load WINHTTP.dll base_address = 0x7ffb5d730000 True 1
Fn
Get Handle KERNEL32.DLL base_address = 0x7ffb670d0000 True 6
Fn
Get Handle NTDLL.DLL base_address = 0x7ffb67620000 True 3
Fn
Get Handle kernelbase base_address = 0x7ffb64a50000 True 2
Fn
Get Handle ADVAPI32.DLL base_address = 0x7ffb673a0000 True 3
Fn
Get Handle Unknown module name base_address = 0x7ff77f080000 True 2
Fn
Get Filename OLEAUT32.dll process_name = c:\windows\explorer.exe, file_name_orig = C:\Windows\Explorer.EXE, size = 260 True 1
Fn
Get Filename NTDLL.DLL process_name = c:\windows\explorer.exe, file_name_orig = C:\Windows\SYSTEM32\ntdll.dll, size = 260 True 3
Fn
Get Address - function = _snprintf, ordinal = 0, address_out = 0x908f810 True 1
Fn
Get Address - function = sprintf, ordinal = 0, address_out = 0x908f810 True 1
Fn
Get Address - function = ZwOpenProcess, ordinal = 0, address_out = 0x908f810 True 1
Fn
Get Address - function = ZwOpenProcessToken, ordinal = 0, address_out = 0x908f810 True 1
Fn
Get Address - function = ZwClose, ordinal = 0, address_out = 0x908f810 True 1
Fn
Get Address - function = ZwQueryInformationToken, ordinal = 0, address_out = 0x908f810 True 1
Fn
Get Address - function = strcpy, ordinal = 0, address_out = 0x908f810 True 1
Fn
Get Address - function = NtQuerySystemInformation, ordinal = 0, address_out = 0x908f810 True 1
Fn
Get Address - function = RtlNtStatusToDosError, ordinal = 0, address_out = 0x908f810 True 1
Fn
Get Address - function = ZwQueryInformationProcess, ordinal = 0, address_out = 0x908f810 True 1
Fn
Get Address - function = memcpy, ordinal = 0, address_out = 0x908f810 True 1
Fn
Get Address - function = NtUnmapViewOfSection, ordinal = 0, address_out = 0x908f810 True 1
Fn
Get Address - function = _wcsupr, ordinal = 0, address_out = 0x908f810 True 1
Fn
Get Address - function = _strupr, ordinal = 0, address_out = 0x908f810 True 1
Fn
Get Address - function = memmove, ordinal = 0, address_out = 0x908f810 True 1
Fn
Get Address - function = memset, ordinal = 0, address_out = 0x908f810 True 1
Fn
Get Address - function = wcscpy, ordinal = 0, address_out = 0x908f810 True 1
Fn
Get Address - function = ZwQueryKey, ordinal = 0, address_out = 0x908f810 True 1
Fn
Get Address - function = RtlUpcaseUnicodeString, ordinal = 0, address_out = 0x908f810 True 1
Fn
Get Address - function = RtlFreeUnicodeString, ordinal = 0, address_out = 0x908f810 True 1
Fn
Get Address - function = wcstombs, ordinal = 0, address_out = 0x908f810 True 1
Fn
Get Address - function = RtlAdjustPrivilege, ordinal = 0, address_out = 0x908f810 True 1
Fn
Get Address - function = mbstowcs, ordinal = 0, address_out = 0x908f810 True 1
Fn
Get Address - function = RtlImageNtHeader, ordinal = 0, address_out = 0x908f810 True 1
Fn
Get Address - function = NtMapViewOfSection, ordinal = 0, address_out = 0x908f810 True 1
Fn
Get Address - function = NtCreateSection, ordinal = 0, address_out = 0x908f810 True 1
Fn
Get Address - function = __C_specific_handler, ordinal = 0, address_out = 0x908f810 True 1
Fn
Get Address - function = __chkstk, ordinal = 0, address_out = 0x908f810 True 1
Fn
Get Address - function = CreateFileMappingA, ordinal = 0, address_out = 0x908f810 True 1
Fn
Get Address - function = SetFilePointerEx, ordinal = 0, address_out = 0x908f810 True 1
Fn
Get Address - function = QueueUserWorkItem, ordinal = 0, address_out = 0x908f810 True 1
Fn
Get Address - function = VirtualProtectEx, ordinal = 0, address_out = 0x908f810 True 1
Fn
Get Address - function = GetComputerNameW, ordinal = 0, address_out = 0x908f810 True 1
Fn
Get Address - function = ExpandEnvironmentStringsA, ordinal = 0, address_out = 0x908f810 True 1
Fn
Get Address - function = FindNextFileA, ordinal = 0, address_out = 0x908f810 True 1
Fn
Get Address - function = CompareFileTime, ordinal = 0, address_out = 0x908f810 True 1
Fn
Get Address - function = FindFirstFileA, ordinal = 0, address_out = 0x908f810 True 1
Fn
Get Address - function = GetFileTime, ordinal = 0, address_out = 0x908f810 True 1
Fn
Get Address - function = GetCurrentProcessId, ordinal = 0, address_out = 0x908f810 True 1
Fn
Get Address - function = QueryPerformanceCounter, ordinal = 0, address_out = 0x908f810 True 1
Fn
Get Address - function = GetModuleFileNameA, ordinal = 0, address_out = 0x908f810 True 1
Fn
Get Address - function = CreateDirectoryA, ordinal = 0, address_out = 0x908f810 True 1
Fn
Get Address - function = GetLastError, ordinal = 0, address_out = 0x908f810 True 1
Fn
Get Address - function = HeapFree, ordinal = 0, address_out = 0x908f810 True 1
Fn
Get Address - function = RemoveDirectoryA, ordinal = 0, address_out = 0x908f810 True 1
Fn
Get Address - function = CloseHandle, ordinal = 0, address_out = 0x908f810 True 1
Fn
Get Address - function = LoadLibraryA, ordinal = 0, address_out = 0x908f810 True 1
Fn
Get Address - function = CreateFileA, ordinal = 0, address_out = 0x908f810 True 1
Fn
Get Address - function = DeleteFileA, ordinal = 0, address_out = 0x908f810 True 1
Fn
Get Address - function = lstrcpyA, ordinal = 0, address_out = 0x908f810 True 1
Fn
Get Address - function = lstrlenA, ordinal = 0, address_out = 0x908f810 True 1
Fn
Get Address - function = lstrcatA, ordinal = 0, address_out = 0x908f810 True 1
Fn
Get Address - function = WriteFile, ordinal = 0, address_out = 0x908f810 True 1
Fn
Get Address - function = HeapAlloc, ordinal = 0, address_out = 0x908f810 True 1
Fn
Get Address - function = HeapDestroy, ordinal = 0, address_out = 0x908f810 True 1
Fn
Get Address - function = HeapCreate, ordinal = 0, address_out = 0x908f810 True 1
Fn
Get Address - function = SetEvent, ordinal = 0, address_out = 0x908f810 True 1
Fn
Get Address - function = HeapReAlloc, ordinal = 0, address_out = 0x908f810 True 1
Fn
Get Address - function = GetSystemTimeAsFileTime, ordinal = 0, address_out = 0x908f810 True 1
Fn
Get Address - function = WaitForSingleObject, ordinal = 0, address_out = 0x908f810 True 1
Fn
Get Address - function = SuspendThread, ordinal = 0, address_out = 0x908f810 True 1
Fn
Get Address - function = OpenProcess, ordinal = 0, address_out = 0x908f810 True 1
Fn
Get Address - function = ResumeThread, ordinal = 0, address_out = 0x908f810 True 1
Fn
Get Address - function = lstrcpyW, ordinal = 0, address_out = 0x908f810 True 1
Fn
Get Address - function = lstrcmpiW, ordinal = 0, address_out = 0x908f810 True 1
Fn
Get Address - function = GetModuleHandleA, ordinal = 0, address_out = 0x908f810 True 1
Fn
Get Address - function = CreateThread, ordinal = 0, address_out = 0x908f810 True 1
Fn
Get Address - function = CreateFileW, ordinal = 0, address_out = 0x908f810 True 1
Fn
Get Address - function = SwitchToThread, ordinal = 0, address_out = 0x908f810 True 1
Fn
Get Address - function = lstrcatW, ordinal = 0, address_out = 0x908f810 True 1
Fn
Get Address - function = Sleep, ordinal = 0, address_out = 0x908f810 True 1
Fn
Get Address - function = GetTickCount, ordinal = 0, address_out = 0x908f810 True 1
Fn
Get Address - function = SetWaitableTimer, ordinal = 0, address_out = 0x908f810 True 1
Fn
Get Address - function = CopyFileW, ordinal = 0, address_out = 0x908f810 True 1
Fn
Get Address - function = GetCurrentThreadId, ordinal = 0, address_out = 0x908f810 True 1
Fn
Get Address - function = GetCurrentThread, ordinal = 0, address_out = 0x908f810 True 1
Fn
Get Address - function = DuplicateHandle, ordinal = 0, address_out = 0x908f810 True 1
Fn
Get Address - function = lstrlenW, ordinal = 0, address_out = 0x908f810 True 1
Fn
Get Address - function = CreateEventA, ordinal = 0, address_out = 0x908f810 True 1
Fn
Get Address - function = GetWindowsDirectoryA, ordinal = 0, address_out = 0x908f810 True 1
Fn
Get Address - function = DeleteFileW, ordinal = 0, address_out = 0x908f810 True 1
Fn
Get Address - function = CreateDirectoryW, ordinal = 0, address_out = 0x908f810 True 1
Fn
Get Address - function = GetTempPathA, ordinal = 0, address_out = 0x908f810 True 1
Fn
Get Address - function = lstrcmpiA, ordinal = 0, address_out = 0x908f810 True 1
Fn
Get Address - function = WaitForMultipleObjects, ordinal = 0, address_out = 0x908f810 True 1
Fn
Get Address - function = lstrcmpA, ordinal = 0, address_out = 0x908f810 True 1
Fn
Get Address - function = ResetEvent, ordinal = 0, address_out = 0x908f810 True 1
Fn
Get Address - function = CreateMutexA, ordinal = 0, address_out = 0x908f810 True 1
Fn
Get Address - function = OpenWaitableTimerA, ordinal = 0, address_out = 0x908f810 True 1
Fn
Get Address - function = MapViewOfFile, ordinal = 0, address_out = 0x908f810 True 1
Fn
Get Address - function = OpenMutexA, ordinal = 0, address_out = 0x908f810 True 1
Fn
Get Address - function = UnmapViewOfFile, ordinal = 0, address_out = 0x908f810 True 1
Fn
Get Address - function = ReleaseMutex, ordinal = 0, address_out = 0x908f810 True 1
Fn
Get Address - function = GetVersionExA, ordinal = 0, address_out = 0x908f810 True 1
Fn
Get Address - function = CreateWaitableTimerA, ordinal = 0, address_out = 0x908f810 True 1
Fn
Get Address - function = SetLastError, ordinal = 0, address_out = 0x908f810 True 1
Fn
Get Address - function = InitializeCriticalSection, ordinal = 0, address_out = 0x908f810 True 1
Fn
Get Address - function = EnterCriticalSection, ordinal = 0, address_out = 0x908f810 True 1
Fn
Get Address - function = LeaveCriticalSection, ordinal = 0, address_out = 0x908f810 True 1
Fn
Get Address - function = VirtualAlloc, ordinal = 0, address_out = 0x908f810 True 1
Fn
Get Address - function = UnregisterWait, ordinal = 0, address_out = 0x908f810 True 1
Fn
Get Address - function = VirtualProtect, ordinal = 0, address_out = 0x908f810 True 1
Fn
Get Address - function = RegisterWaitForSingleObject, ordinal = 0, address_out = 0x908f810 True 1
Fn
Get Address - function = TlsAlloc, ordinal = 0, address_out = 0x908f810 True 1
Fn
Get Address - function = TlsGetValue, ordinal = 0, address_out = 0x908f810 True 1
Fn
Get Address - function = LoadLibraryExW, ordinal = 0, address_out = 0x908f810 True 1
Fn
Get Address - function = TlsSetValue, ordinal = 0, address_out = 0x908f810 True 1
Fn
Get Address - function = GetProcAddress, ordinal = 0, address_out = 0x908f810 True 1
Fn
Get Address - function = GetDriveTypeW, ordinal = 0, address_out = 0x908f810 True 1
Fn
Get Address - function = WideCharToMultiByte, ordinal = 0, address_out = 0x908f810 True 1
Fn
Get Address - function = GetLogicalDriveStringsW, ordinal = 0, address_out = 0x908f810 True 1
Fn
Get Address - function = OpenFileMappingA, ordinal = 0, address_out = 0x908f810 True 1
Fn
Get Address - function = GetExitCodeProcess, ordinal = 0, address_out = 0x908f810 True 1
Fn
Get Address - function = LocalFree, ordinal = 0, address_out = 0x908f810 True 1
Fn
Get Address - function = CreateProcessA, ordinal = 0, address_out = 0x908f810 True 1
Fn
Get Address - function = GetFileSize, ordinal = 0, address_out = 0x908f810 True 1
Fn
Get Address - function = lstrcpynA, ordinal = 0, address_out = 0x908f810 True 1
Fn
Get Address - function = Thread32First, ordinal = 0, address_out = 0x908f810 True 1
Fn
Get Address - function = CreateToolhelp32Snapshot, ordinal = 0, address_out = 0x908f810 True 1
Fn
Get Address - function = QueueUserAPC, ordinal = 0, address_out = 0x908f810 True 1
Fn
Get Address - function = OpenThread, ordinal = 0, address_out = 0x908f810 True 1
Fn
Get Address - function = Thread32Next, ordinal = 0, address_out = 0x908f810 True 1
Fn
Get Address - function = ConnectNamedPipe, ordinal = 0, address_out = 0x908f810 True 1
Fn
Get Address - function = GetOverlappedResult, ordinal = 0, address_out = 0x908f810 True 1
Fn
Get Address - function = CancelIo, ordinal = 0, address_out = 0x908f810 True 1
Fn
Get Address - function = DisconnectNamedPipe, ordinal = 0, address_out = 0x908f810 True 1
Fn
Get Address - function = FlushFileBuffers, ordinal = 0, address_out = 0x908f810 True 1
Fn
Get Address - function = CallNamedPipeA, ordinal = 0, address_out = 0x908f810 True 1
Fn
Get Address - function = CreateNamedPipeA, ordinal = 0, address_out = 0x908f810 True 1
Fn
Get Address - function = GetSystemTime, ordinal = 0, address_out = 0x908f810 True 1
Fn
Get Address - function = WaitNamedPipeA, ordinal = 0, address_out = 0x908f810 True 1
Fn
Get Address - function = ReadFile, ordinal = 0, address_out = 0x908f810 True 1
Fn
Get Address - function = SleepEx, ordinal = 0, address_out = 0x908f810 True 1
Fn
Get Address - function = AddVectoredExceptionHandler, ordinal = 0, address_out = 0x908f810 True 1
Fn
Get Address - function = RemoveVectoredExceptionHandler, ordinal = 0, address_out = 0x908f810 True 1
Fn
Get Address - function = OpenEventA, ordinal = 0, address_out = 0x908f810 True 1
Fn
Get Address - function = LocalAlloc, ordinal = 0, address_out = 0x908f810 True 1
Fn
Get Address - function = FreeLibrary, ordinal = 0, address_out = 0x908f810 True 1
Fn
Get Address - function = RaiseException, ordinal = 0, address_out = 0x908f810 True 1
Fn
Get Address - function = VirtualFree, ordinal = 0, address_out = 0x908f810 True 1
Fn
Get Address - function = GetModuleFileNameW, ordinal = 0, address_out = 0x908f810 True 1
Fn
Get Address - function = GetVersion, ordinal = 0, address_out = 0x908f810 True 1
Fn
Get Address - function = GetLocalTime, ordinal = 0, address_out = 0x908f810 True 1
Fn
Get Address - function = QueryPerformanceFrequency, ordinal = 0, address_out = 0x908f810 True 1
Fn
Get Address - function = DeleteCriticalSection, ordinal = 0, address_out = 0x908f810 True 1
Fn
Get Address - function = GetTempFileNameA, ordinal = 0, address_out = 0x908f810 True 1
Fn
Get Address - function = FindNextFileW, ordinal = 0, address_out = 0x908f810 True 1
Fn
Get Address - function = SetEndOfFile, ordinal = 0, address_out = 0x908f810 True 1
Fn
Get Address - function = SetFilePointer, ordinal = 0, address_out = 0x908f810 True 1
Fn
Get Address - function = FindFirstFileW, ordinal = 0, address_out = 0x908f810 True 1
Fn
Get Address - function = RemoveDirectoryW, ordinal = 0, address_out = 0x908f810 True 1
Fn
Get Address - function = GetFileAttributesW, ordinal = 0, address_out = 0x908f810 True 1
Fn
Get Address - function = ExpandEnvironmentStringsW, ordinal = 0, address_out = 0x908f810 True 1
Fn
Get Address - function = FindClose, ordinal = 0, address_out = 0x908f810 True 1
Fn
Get Address - function = 0, ordinal = 9, address_out = 0x908f810 True 1
Fn
Get Address - function = 0, ordinal = 6, address_out = 0x908f810 True 1
Fn
Get Address - function = 0, ordinal = 2, address_out = 0x908f810 True 1
Fn
Get Address - function = 0, ordinal = 8, address_out = 0x908f810 True 1
Fn
Get Address Unknown module name function = IsWow64Process, address_out = 0x7ffb670ee960 True 1
Fn
Get Address Unknown module name function = ConvertStringSecurityDescriptorToSecurityDescriptorA, address_out = 0x7ffb673bd610 True 1
Fn
Get Address Unknown module name function = StrRChrA, address_out = 0x7ffb66b44dd0 True 1
Fn
Get Address Unknown module name function = wsprintfA, address_out = 0x7ffb667e2610 True 1
Fn
Get Address Unknown module name function = GetUserNameA, address_out = 0x7ffb673cec40 True 1
Fn
Get Address Unknown module name function = GetShellWindow, address_out = 0x7ffb667e4060 True 1
Fn
Get Address Unknown module name function = GetWindowThreadProcessId, address_out = 0x7ffb667d4040 True 1
Fn
Get Address Unknown module name function = EnumProcessModules, address_out = 0x7ffb66771040 True 1
Fn
Get Address Unknown module name function = RegOpenKeyA, address_out = 0x7ffb673bb9e0 True 1
Fn
Get Address Unknown module name function = RegQueryValueExA, address_out = 0x7ffb673b7dd0 True 1
Fn
Get Address Unknown module name function = RegCloseKey, address_out = 0x7ffb673b72e0 True 1
Fn
Get Address Unknown module name function = StrToIntExA, address_out = 0x7ffb66b44e70 True 1
Fn
Get Address Unknown module name function = StrChrA, address_out = 0x7ffb66b44cc0 True 1
Fn
Get Address Unknown module name function = StrTrimA, address_out = 0x7ffb66b44e80 True 1
Fn
Get Address Unknown module name function = RegCreateKeyA, address_out = 0x7ffb673e6dc0 True 1
Fn
Get Address Unknown module name function = CreateStreamOnHGlobal, address_out = 0x7ffb66c170a0 True 1
Fn
Get Address Unknown module name function = StrStrIA, address_out = 0x7ffb66b3e1c0 True 1
Fn
Get Address Unknown module name function = WinHttpOpen, address_out = 0x7ffb5d74bc40 True 1
Fn
Get Address Unknown module name function = RegQueryValueExW, address_out = 0x7ffb673b6c70 True 1
Fn
Get Address Unknown module name function = StrChrW, address_out = 0x7ffb66b3a2a0 True 1
Fn
Get Address Unknown module name function = PathCombineW, address_out = 0x7ffb66b3d130 True 1
Fn
Get Address Unknown module name function = StrRChrW, address_out = 0x7ffb66b3dd80 True 1
Fn
Get Address Unknown module name function = RegSetValueExA, address_out = 0x7ffb673a2680 True 1
Fn
Get Address Unknown module name function = RegisterClassA, address_out = 0x7ffb667e1310 True 1
Fn
Get Address Unknown module name function = PathFindFileNameA, address_out = 0x7ffb66b3cf30 True 1
Fn
Get Address Unknown module name function = RtlExitUserThread, address_out = 0x7ffb67629fa0 True 1
Fn
Get Address Unknown module name function = CreateRemoteThread, address_out = 0x7ffb671126d0 True 1
Fn
Get Address Unknown module name function = CreateWindowExA, address_out = 0x7ffb667e4df0 True 1
Fn
Get Address Unknown module name function = GetWindowLongPtrA, address_out = 0x7ffb667ccae0 True 1
Fn
Get Address Unknown module name function = DefWindowProcA, address_out = 0x7ffb676b3230 True 1
Fn
Get Address Unknown module name function = SetWindowLongPtrA, address_out = 0x7ffb667d61f0 True 1
Fn
Get Address Unknown module name function = GetMessageA, address_out = 0x7ffb667daa50 True 1
Fn
Get Address Unknown module name function = TranslateMessage, address_out = 0x7ffb667d36a0 True 1
Fn
Get Address Unknown module name function = DispatchMessageA, address_out = 0x7ffb667e61e0 True 1
Fn
Get Address Unknown module name function = StrCmpIW, address_out = 0x7ffb66b3be50 True 1
Fn
Get Address Unknown module name function = WinHttpConnect, address_out = 0x7ffb5d749550 True 1
Fn
Get Address Unknown module name function = WinHttpOpenRequest, address_out = 0x7ffb5d749c10 True 1
Fn
Get Address Unknown module name function = WinHttpQueryOption, address_out = 0x7ffb5d731900 True 1
Fn
Get Address Unknown module name function = WinHttpSetOption, address_out = 0x7ffb5d747a20 True 1
Fn
Get Address Unknown module name function = WinHttpSendRequest, address_out = 0x7ffb5d748330 True 1
Fn
Get Address Unknown module name function = WinHttpReceiveResponse, address_out = 0x7ffb5d748c80 True 1
Fn
Get Address Unknown module name function = WinHttpQueryHeaders, address_out = 0x7ffb5d746d90 True 1
Fn
Get Address Unknown module name function = WinHttpQueryDataAvailable, address_out = 0x7ffb5d756ac0 True 1
Fn
Get Address Unknown module name function = WinHttpReadData, address_out = 0x7ffb5d744200 True 1
Fn
Create Mapping - protection = PAGE_EXECUTE_READWRITE, maximum_size = 153416944 True 1
Fn
Map - process_name = c:\windows\explorer.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x9450000 True 1
Fn
Map - process_name = c:\windows\system32\runtimebroker.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0xfa3ba00000 True 1
Fn
Window (1)
+
Operation Window Name Additional Information Success Count Logfile
Create - class_name = {0A62B810-AC2F-6BC2-4439-B87D16D3AAB7}, wndproc_parameter = 151783776 True 1
Fn
System (11)
+
Operation Additional Information Success Count Logfile
Sleep duration = -1 (infinite) False 3
Fn
Sleep duration = -1 (infinite) True 1
Fn
Get Time type = System Time, time = 2017-12-11 05:44:39 (UTC) True 2
Fn
Get Time type = Ticks, time = 35765 True 1
Fn
Get Time type = System Time, time = 2017-12-11 05:44:41 (UTC) True 1
Fn
Get Info type = Operating System True 3
Fn
Mutex (8)
+
Operation Additional Information Success Count Logfile
Create mutex_name = {2B1EAAC7-8E9D-9587-F08F-A2992433F6DD} True 1
Fn
Create mutex_name = Local\{14572DFD-6357-66D5-8D88-47FA113C6BCE} True 1
Fn
Create mutex_name = Local\{2EBE0010-B5EF-903D-AF42-B9C45396FD38} True 1
Fn
Create mutex_name = Local\{CC210EB6-BBF2-DEC8-A5C0-1FF2A9F4C346} True 1
Fn
Open mutex_name = Local\{14572DFD-6357-66D5-8D88-47FA113C6BCE}, desired_access = MUTEX_MODIFY_STATE, SYNCHRONIZE False 1
Fn
Open mutex_name = Local\{2EBE0010-B5EF-903D-AF42-B9C45396FD38}, desired_access = MUTEX_MODIFY_STATE, SYNCHRONIZE False 1
Fn
Open mutex_name = Local\{CC210EB6-BBF2-DEC8-A5C0-1FF2A9F4C346}, desired_access = MUTEX_MODIFY_STATE, SYNCHRONIZE False 1
Fn
Release mutex_name = Local\{14572DFD-6357-66D5-8D88-47FA113C6BCE} True 1
Fn
Network Behavior
HTTP Sessions (1)
+
Information Value
Total Data Sent 0.24 KB (244 bytes)
Total Data Received 2.94 MB (3086799 bytes)
Contacted Host Count 1
Contacted Hosts titanliquor.ca
HTTP Session #1
+
Information Value
User Agent Mozilla/5.0 (Windows NT 10.0; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0
Server Name titanliquor.ca
Server Port 80
Data Sent 0.24 KB (244 bytes)
Data Received 2.94 MB (3086799 bytes)
Operations
Operation Additional Information Success Count Logfile
Open Session user_agent = Mozilla/5.0 (Windows NT 10.0; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0, access_type = WINHTTP_ACCESS_TYPE_AUTOMATIC_PROXY, flags = WINHTTP_FLAG_SYNC True 1
Fn
Open Connection protocol = HTTP, server_name = titanliquor.ca, server_port = 80 True 1
Fn
Open HTTP Request http_verb = GET, http_version = HTTP 1.1, target_resource = /images/A/2.tif, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE True 1
Fn
Send HTTP Request headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = titanliquor.ca/images/A/2.tif True 1
Fn
Query HTTP Info flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 True 1
Fn
Data
Query HTTP Info flags = HTTP_QUERY_RAW_HEADERS_CRLF False 1
Fn
Query HTTP Info flags = HTTP_QUERY_RAW_HEADERS_CRLF, size_out = 710 True 1
Fn
Data
Read Response size = 3693, size_out = 3693 True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 2
Fn
Data
Read Response size = 2280, size_out = 2280 True 1
Fn
Data
Read Response size = 2904, size_out = 2904 True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 4
Fn
Data
Read Response size = 1040, size_out = 1040 True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 2
Fn
Data
Read Response size = 1972, size_out = 1972 True 1
Fn
Data
Read Response size = 2904, size_out = 2904 True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 3
Fn
Data
Read Response size = 3684, size_out = 3684 True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 1
Fn
Data
Read Response size = 1712, size_out = 1712 True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 3
Fn
Data
Read Response size = 3684, size_out = 3684 True 1
Fn
Data
Read Response size = 2904, size_out = 2904 True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 1
Fn
Data
Read Response size = 260, size_out = 260 True 1
Fn
Data
Read Response size = 1452, size_out = 1452 True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 3
Fn
Data
Read Response size = 780, size_out = 780 True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 3
Fn
Data
Read Response size = 780, size_out = 780 True 1
Fn
Data
Read Response size = 1452, size_out = 1452 True 2
Fn
Data
Read Response size = 2904, size_out = 2904 True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 2
Fn
Data
Read Response size = 1972, size_out = 1972 True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 2
Fn
Data
Read Response size = 3424, size_out = 3424 True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 3
Fn
Data
Read Response size = 3684, size_out = 3684 True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 1
Fn
Data
Read Response size = 260, size_out = 260 True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 2
Fn
Data
Read Response size = 520, size_out = 520 True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 2
Fn
Data
Read Response size = 3424, size_out = 3424 True 1
Fn
Data
Read Response size = 2904, size_out = 2904 True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 9
Fn
Data
Read Response size = 3792, size_out = 3792 True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 15
Fn
Data
Read Response size = 2448, size_out = 2448 True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 3
Fn
Data
Read Response size = 3684, size_out = 3684 True 1
Fn
Data
Read Response size = 1452, size_out = 1452 True 1
Fn
Data
Read Response size = 2904, size_out = 2904 True 1
Fn
Data
Read Response size = 1452, size_out = 1452 True 1
Fn
Data
Read Response size = 2904, size_out = 2904 True 2
Fn
Data
Read Response size = 4096, size_out = 4096 True 2
Fn
Data
Read Response size = 520, size_out = 520 True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 2
Fn
Data
Read Response size = 3424, size_out = 3424 True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 1
Fn
Data
Read Response size = 260, size_out = 260 True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 2
Fn
Data
Read Response size = 3424, size_out = 3424 True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 8
Fn
Data
Read Response size = 3532, size_out = 3532 True 1
Fn
Data
Read Response size = 2904, size_out = 2904 True 1
Fn
Data
Read Response size = 1452, size_out = 1452 True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 2
Fn
Data
Read Response size = 1972, size_out = 1972 True 1
Fn
Data
Read Response size = 2904, size_out = 2904 True 3
Fn
Data
Read Response size = 4096, size_out = 4096 True 1
Fn
Data
Read Response size = 260, size_out = 260 True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 2
Fn
Data
Read Response size = 3424, size_out = 3424 True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 3
Fn
Data
Read Response size = 780, size_out = 780 True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 3
Fn
Data
Read Response size = 3684, size_out = 3684 True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 1
Fn
Data
Read Response size = 1712, size_out = 1712 True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 3
Fn
Data
Read Response size = 780, size_out = 780 True 1
Fn
Data
Read Response size = 1452, size_out = 1452 True 1
Fn
Data
Read Response size = 2904, size_out = 2904 True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 2
Fn
Data
Read Response size = 3424, size_out = 3424 True 1
Fn
Data
Read Response size = 1452, size_out = 1452 True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 1
Fn
Data
Read Response size = 3164, size_out = 3164 True 1
Fn
Data
Read Response size = 1452, size_out = 1452 True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 2
Fn
Data
Read Response size = 520, size_out = 520 True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 2
Fn
Data
Read Response size = 3424, size_out = 3424 True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 3
Fn
Data
Read Response size = 780, size_out = 780 True 1
Fn
Data
Read Response size = 2904, size_out = 2904 True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 2
Fn
Data
Read Response size = 3424, size_out = 3424 True 1
Fn
Data
Read Response size = 2904, size_out = 2904 True 1
Fn
Data
Read Response size = 1452, size_out = 1452 True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 2
Fn
Data
Read Response size = 3424, size_out = 3424 True 1
Fn
Data
Read Response size = 1452, size_out = 1452 True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 1
Fn
Data
Read Response size = 260, size_out = 260 True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 3
Fn
Data
Read Response size = 2232, size_out = 2232 True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 1
Fn
Data
Read Response size = 1712, size_out = 1712 True 1
Fn
Data
Read Response size = 1452, size_out = 1452 True 1
Fn
Data
Read Response size = 2904, size_out = 2904 True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 11
Fn
Data
Read Response size = 1408, size_out = 1408 True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 53
Fn
Data
Read Response size = 3616, size_out = 3616 True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 1
Fn
Data
Read Response size = 260, size_out = 260 True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 1
Fn
Data
Read Response size = 260, size_out = 260 True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 1
Fn
Data
Read Response size = 1712, size_out = 1712 True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 2
Fn
Data
Read Response size = 1972, size_out = 1972 True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 2
Fn
Data
Read Response size = 1972, size_out = 1972 True 1
Fn
Data
Read Response size = 1452, size_out = 1452 True 1
Fn
Data
Read Response size = 2904, size_out = 2904 True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 2
Fn
Data
Read Response size = 3424, size_out = 3424 True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 2
Fn
Data
Read Response size = 1972, size_out = 1972 True 1
Fn
Data
Read Response size = 2904, size_out = 2904 True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 2
Fn
Data
Read Response size = 3424, size_out = 3424 True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 2
Fn
Data
Read Response size = 520, size_out = 520 True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 2
Fn
Data
Read Response size = 1972, size_out = 1972 True 1
Fn
Data
Read Response size = 1452, size_out = 1452 True 1
Fn
Data
Read Response size = 2904, size_out = 2904 True 2
Fn
Data
Read Response size = 1452, size_out = 1452 True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 3
Fn
Data
Read Response size = 780, size_out = 780 True 1
Fn
Data
Read Response size = 2904, size_out = 2904 True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 4
Fn
Data
Read Response size = 3944, size_out = 3944 True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 2
Fn
Data
Read Response size = 3424, size_out = 3424 True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 2
Fn
Data
Read Response size = 520, size_out = 520 True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 2
Fn
Data
Read Response size = 3424, size_out = 3424 True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 499
Fn
Data
Process #20: runonce.exe'
+
Information Value
ID #20
File Name c:\windows\syswow64\runonce.exe
Command Line C:\Windows\SysWOW64\runonce.exe /Run6432
Initial Working Directory C:\Windows\SysWOW64\
Monitor Start Time: 00:02:03, Reason: Child Process
Unmonitor End Time: 00:02:20, Reason: Terminated by Timeout
Monitor Duration 00:00:17
Remarks No high level activity detected in monitored regions
OS Process Information
+
Information Value
PID 0x190
Parent PID 0x2b4 (c:\windows\explorer.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username LHNIWSJ\CIiHmnxMn6Ps
Groups
  • LHNIWSJ\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Local account and member of Administrators group (USE_FOR_DENY_ONLY)
  • BUILTIN\Administrators (USE_FOR_DENY_ONLY)
  • BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Local account (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Logon Session 00000000:00018798 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID)
  • LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 278
0x 9B0
0x 744
Region
+
Name Start VA End VA Type Permissions Monitored Dump YARA Match Actions
private_0x00000000004e0000 0x004e0000 0x004fffff Private Memory Readable, Writable True False False
pagefile_0x00000000004e0000 0x004e0000 0x004effff Pagefile Backed Memory Readable, Writable True False False
private_0x00000000004f0000 0x004f0000 0x004f3fff Private Memory Readable, Writable True False False
private_0x0000000000500000 0x00500000 0x00500fff Private Memory Readable, Writable True False False
runonce.exe.mui 0x00500000 0x00500fff Memory Mapped File Readable False False False
pagefile_0x0000000000510000 0x00510000 0x00523fff Pagefile Backed Memory Readable True False False
private_0x0000000000530000 0x00530000 0x0056ffff Private Memory Readable, Writable True False False
private_0x0000000000570000 0x00570000 0x005affff Private Memory Readable, Writable True False False
pagefile_0x00000000005b0000 0x005b0000 0x005b3fff Pagefile Backed Memory Readable True False False
pagefile_0x00000000005c0000 0x005c0000 0x005c2fff Pagefile Backed Memory Readable True False False
private_0x00000000005d0000 0x005d0000 0x005d1fff Private Memory Readable, Writable True False False
locale.nls 0x005e0000 0x0069dfff Memory Mapped File Readable False False False
private_0x00000000006a0000 0x006a0000 0x006dffff Private Memory Readable, Writable True False False
private_0x00000000006e0000 0x006e0000 0x006effff Private Memory Readable, Writable True False False
private_0x00000000006f0000 0x006f0000 0x0072ffff Private Memory Readable, Writable True False False
private_0x0000000000730000 0x00730000 0x00730fff Private Memory Readable, Writable True False False
private_0x0000000000740000 0x00740000 0x00740fff Private Memory Readable, Writable True False False
pagefile_0x0000000000760000 0x00760000 0x00761fff Pagefile Backed Memory Readable True False False
private_0x0000000000770000 0x00770000 0x007a3fff Private Memory Readable, Writable True False False
private_0x00000000007b0000 0x007b0000 0x007effff Private Memory Readable, Writable True False False
private_0x0000000000820000 0x00820000 0x0091ffff Private Memory Readable, Writable True False False
private_0x0000000000920000 0x00920000 0x0095ffff Private Memory Readable, Writable True False False
private_0x0000000000a20000 0x00a20000 0x00a2ffff Private Memory Readable, Writable True False False
runonce.exe 0x00a90000 0x00a9bfff Memory Mapped File Readable, Writable, Executable False False False
pagefile_0x0000000000aa0000 0x00aa0000 0x04a9ffff Pagefile Backed Memory - True False False
pagefile_0x0000000004aa0000 0x04aa0000 0x04c27fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000004c30000 0x04c30000 0x04db0fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000004dc0000 0x04dc0000 0x061bffff Pagefile Backed Memory Readable True False False
wow64win.dll 0x650f0000 0x65162fff Memory Mapped File Readable, Writable, Executable False False False
wow64cpu.dll 0x65170000 0x65177fff Memory Mapped File Readable, Writable, Executable False False False
wow64.dll 0x65180000 0x651cefff Memory Mapped File Readable, Writable, Executable False False False
uxtheme.dll 0x741d0000 0x74244fff Memory Mapped File Readable, Writable, Executable False False False
comctl32.dll 0x74250000 0x74458fff Memory Mapped File Readable, Writable, Executable False False False
bcryptprimitives.dll 0x74460000 0x744b8fff Memory Mapped File Readable, Writable, Executable False False False
cryptbase.dll 0x744c0000 0x744c9fff Memory Mapped File Readable, Writable, Executable False False False
sspicli.dll 0x744d0000 0x744edfff Memory Mapped File Readable, Writable, Executable False False False
kernelbase.dll 0x74550000 0x746c5fff Memory Mapped File Readable, Writable, Executable False False False
shell32.dll 0x74890000 0x75c4efff Memory Mapped File Readable, Writable, Executable False False False
powrprof.dll 0x75c50000 0x75c93fff Memory Mapped File Readable, Writable, Executable False False False
advapi32.dll 0x75d10000 0x75d8afff Memory Mapped File Readable, Writable, Executable False False False
imm32.dll 0x75d90000 0x75dbafff Memory Mapped File Readable, Writable, Executable False False False
user32.dll 0x75dc0000 0x75efffff Memory Mapped File Readable, Writable, Executable False False False
gdi32.dll 0x75fa0000 0x760ecfff Memory Mapped File Readable, Writable, Executable False False False
kernel32.dll 0x76140000 0x7622ffff Memory Mapped File Readable, Writable, Executable False False False
msctf.dll 0x76230000 0x7634ffff Memory Mapped File Readable, Writable, Executable False False False
ole32.dll 0x76350000 0x76439fff Memory Mapped File Readable, Writable, Executable False False False
shlwapi.dll 0x764e0000 0x76523fff Memory Mapped File Readable, Writable, Executable False False False
kernel.appcore.dll 0x76530000 0x7653bfff Memory Mapped File Readable, Writable, Executable False False False
windows.storage.dll 0x76750000 0x76c2cfff Memory Mapped File Readable, Writable, Executable False False False
profapi.dll 0x76c30000 0x76c3efff Memory Mapped File Readable, Writable, Executable False False False
msvcrt.dll 0x76c40000 0x76cfdfff Memory Mapped File Readable, Writable, Executable False False False
combase.dll 0x76f00000 0x770b9fff Memory Mapped File Readable, Writable, Executable False False False
shcore.dll 0x771e0000 0x7726cfff Memory Mapped File Readable, Writable, Executable False False False
rpcrt4.dll 0x77270000 0x7731bfff Memory Mapped File Readable, Writable, Executable False False False
sechost.dll 0x77320000 0x77362fff Memory Mapped File Readable, Writable, Executable False False False
ntdll.dll 0x773c0000 0x77538fff Memory Mapped File Readable, Writable, Executable False False False
private_0x000000007ea7d000 0x7ea7d000 0x7ea7ffff Private Memory Readable, Writable True False False
pagefile_0x000000007ea80000 0x7ea80000 0x7eb7ffff Pagefile Backed Memory Readable True False False
pagefile_0x000000007eb80000 0x7eb80000 0x7eba2fff Pagefile Backed Memory Readable True False False
private_0x000000007eba5000 0x7eba5000 0x7eba5fff Private Memory Readable, Writable True False False
private_0x000000007eba8000 0x7eba8000 0x7ebaafff Private Memory Readable, Writable True False False
private_0x000000007ebab000 0x7ebab000 0x7ebadfff Private Memory Readable, Writable True False False
private_0x000000007ebae000 0x7ebae000 0x7ebaefff Private Memory Readable, Writable True False False
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False
private_0x000000007fff0000 0x7fff0000 0x7dfb6761ffff Private Memory Readable True False False
pagefile_0x00007dfb67620000 0x7dfb67620000 0x7ffb6761ffff Pagefile Backed Memory - True False False
ntdll.dll 0x7ffb67620000 0x7ffb677e1fff Memory Mapped File Readable, Writable, Executable False False False
private_0x00007ffb677e2000 0x7ffb677e2000 0x7ffffffeffff Private Memory Readable True False False
Process #21: onenotem.exe'
+
Information Value
ID #21
File Name c:\program files\microsoft office\root\office16\onenotem.exe
Command Line "C:\Program Files\Microsoft Office\root\Office16\ONENOTEM.EXE" /tsr
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:02:04, Reason: Child Process
Unmonitor End Time: 00:02:20, Reason: Terminated by Timeout
Monitor Duration 00:00:16
Remarks No high level activity detected in monitored regions
OS Process Information
+
Information Value
PID 0x11c
Parent PID 0x2b4 (c:\windows\explorer.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username LHNIWSJ\CIiHmnxMn6Ps
Groups
  • LHNIWSJ\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Local account and member of Administrators group (USE_FOR_DENY_ONLY)
  • BUILTIN\Administrators (USE_FOR_DENY_ONLY)
  • BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Local account (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Logon Session 00000000:00018798 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID)
  • LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 858
0x 7CC
0x 75C
Region
+
Name Start VA End VA Type Permissions Monitored Dump YARA Match Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False
private_0x000000141b670000 0x141b670000 0x141b68ffff Private Memory Readable, Writable True False False
pagefile_0x000000141b670000 0x141b670000 0x141b67ffff Pagefile Backed Memory Readable, Writable True False False
private_0x000000141b680000 0x141b680000 0x141b686fff Private Memory Readable, Writable True False False
pagefile_0x000000141b690000 0x141b690000 0x141b6a3fff Pagefile Backed Memory Readable True False False
private_0x000000141b6b0000 0x141b6b0000 0x141b7affff Private Memory Readable, Writable True False False
pagefile_0x000000141b7b0000 0x141b7b0000 0x141b7b3fff Pagefile Backed Memory Readable True False False
pagefile_0x000000141b7c0000 0x141b7c0000 0x141b7c0fff Pagefile Backed Memory Readable True False False
private_0x000000141b7d0000 0x141b7d0000 0x141b7d1fff Private Memory Readable, Writable True False False
locale.nls 0x141b7e0000 0x141b89dfff Memory Mapped File Readable False False False
pagefile_0x000000141b8a0000 0x141b8a0000 0x141b8a0fff Pagefile Backed Memory Readable True False False
pagefile_0x000000141b8b0000 0x141b8b0000 0x141b8b0fff Pagefile Backed Memory Readable True False False
private_0x000000141b8c0000 0x141b8c0000 0x141b8c6fff Private Memory Readable, Writable True False False
private_0x000000141b8d0000 0x141b8d0000 0x141b9cffff Private Memory Readable, Writable True False False
private_0x000000141b9d0000 0x141b9d0000 0x141bacffff Private Memory Readable, Writable True False False
private_0x000000141bad0000 0x141bad0000 0x141bad0fff Private Memory Readable, Writable True False False
private_0x000000141bae0000 0x141bae0000 0x141bae0fff Private Memory Readable, Writable True False False
pagefile_0x000000141baf0000 0x141baf0000 0x141baf0fff Pagefile Backed Memory Readable, Writable True False False
private_0x000000141bb00000 0x141bb00000 0x141bbfffff Private Memory Readable, Writable True False False
private_0x000000141bc00000 0x141bc00000 0x141bc00fff Private Memory Readable, Writable True False False
private_0x000000141bc10000 0x141bc10000 0x141bc10fff Private Memory Readable, Writable True False False
pagefile_0x000000141bc20000 0x141bc20000 0x141bc21fff Pagefile Backed Memory Readable True False False
private_0x000000141bc30000 0x141bc30000 0x141bc3ffff Private Memory Readable, Writable True False False
pagefile_0x000000141bc40000 0x141bc40000 0x141bdc7fff Pagefile Backed Memory Readable True False False
pagefile_0x000000141bdd0000 0x141bdd0000 0x141bf50fff Pagefile Backed Memory Readable True False False
pagefile_0x000000141bf60000 0x141bf60000 0x141d35ffff Pagefile Backed Memory Readable True False False
sortdefault.nls 0x141d360000 0x141d696fff Memory Mapped File Readable False False False
private_0x000000141d720000 0x141d720000 0x141d72ffff Private Memory Readable, Writable True False False
private_0x000000141d7a0000 0x141d7a0000 0x141d7affff Private Memory Readable, Writable True False False
pagefile_0x00007ff7ae2d0000 0x7ff7ae2d0000 0x7ff7ae3cffff Pagefile Backed Memory Readable True False False
pagefile_0x00007ff7ae3d0000 0x7ff7ae3d0000 0x7ff7ae3f2fff Pagefile Backed Memory Readable True False False
private_0x00007ff7ae3fb000 0x7ff7ae3fb000 0x7ff7ae3fbfff Private Memory Readable, Writable True False False
private_0x00007ff7ae3fc000 0x7ff7ae3fc000 0x7ff7ae3fdfff Private Memory Readable, Writable True False False
private_0x00007ff7ae3fe000 0x7ff7ae3fe000 0x7ff7ae3fffff Private Memory Readable, Writable True False False
onenotem.exe 0x7ff7ae8a0000 0x7ff7ae8cefff Memory Mapped File Readable, Writable, Executable False False False
vcruntime140.dll 0x7ffb557b0000 0x7ffb557c6fff Memory Mapped File Readable, Writable, Executable False False False
c2r64.dll 0x7ffb58bd0000 0x7ffb58cf8fff Memory Mapped File Readable, Writable, Executable False False False
appvisvsubsystems64.dll 0x7ffb58d00000 0x7ffb58f35fff Memory Mapped File Readable, Writable, Executable False False False
appvisvstream64.dll 0x7ffb59070000 0x7ffb590e9fff Memory Mapped File Readable, Writable, Executable False False False
msi.dll 0x7ffb5da60000 0x7ffb5dd9cfff Memory Mapped File Readable, Writable, Executable False False False
gdiplus.dll 0x7ffb5dda0000 0x7ffb5df48fff Memory Mapped File Readable, Writable, Executable False False False
ucrtbase.dll 0x7ffb5fed0000 0x7ffb5ffc1fff Memory Mapped File Readable, Writable, Executable False False False
msimg32.dll 0x7ffb61ef0000 0x7ffb61ef6fff Memory Mapped File Readable, Writable, Executable False False False
apphelp.dll 0x7ffb627a0000 0x7ffb62817fff Memory Mapped File Readable, Writable, Executable False False False
uxtheme.dll 0x7ffb62920000 0x7ffb629b5fff Memory Mapped File Readable, Writable, Executable False False False
userenv.dll 0x7ffb63600000 0x7ffb6361efff Memory Mapped File Readable, Writable, Executable False False False
cryptbase.dll 0x7ffb63a90000 0x7ffb63a9afff Memory Mapped File Readable, Writable, Executable False False False
bcrypt.dll 0x7ffb63e70000 0x7ffb63e97fff Memory Mapped File Readable, Writable, Executable False False False
bcryptprimitives.dll 0x7ffb63ea0000 0x7ffb63f0afff Memory Mapped File Readable, Writable, Executable False False False
profapi.dll 0x7ffb64050000 0x7ffb64062fff Memory Mapped File Readable, Writable, Executable False False False
powrprof.dll 0x7ffb64070000 0x7ffb640b9fff Memory Mapped File Readable, Writable, Executable False False False
kernel.appcore.dll 0x7ffb640c0000 0x7ffb640cefff Memory Mapped File Readable, Writable, Executable False False False
windows.storage.dll 0x7ffb64140000 0x7ffb64767fff Memory Mapped File Readable, Writable, Executable False False False
kernelbase.dll 0x7ffb64a50000 0x7ffb64c2cfff Memory Mapped File Readable, Writable, Executable False False False
shcore.dll 0x7ffb64c30000 0x7ffb64ce2fff Memory Mapped File Readable, Writable, Executable False False False
oleaut32.dll 0x7ffb64cf0000 0x7ffb64dadfff Memory Mapped File Readable, Writable, Executable False False False
gdi32.dll 0x7ffb64f80000 0x7ffb65104fff Memory Mapped File Readable, Writable, Executable False False False
shell32.dll 0x7ffb65110000 0x7ffb66634fff Memory Mapped File Readable, Writable, Executable False False False
rpcrt4.dll 0x7ffb66640000 0x7ffb66765fff Memory Mapped File Readable, Writable, Executable False False False
imm32.dll 0x7ffb66780000 0x7ffb667b5fff Memory Mapped File Readable, Writable, Executable False False False
user32.dll 0x7ffb667c0000 0x7ffb6690dfff Memory Mapped File Readable, Writable, Executable False False False
shlwapi.dll 0x7ffb66b30000 0x7ffb66b80fff Memory Mapped File Readable, Writable, Executable False False False
combase.dll 0x7ffb66bf0000 0x7ffb66e6bfff Memory Mapped File Readable, Writable, Executable False False False
ole32.dll 0x7ffb66e70000 0x7ffb66fb0fff Memory Mapped File Readable, Writable, Executable False False False
kernel32.dll 0x7ffb670d0000 0x7ffb6717cfff Memory Mapped File Readable, Writable, Executable False False False
msvcrt.dll 0x7ffb672d0000 0x7ffb6736cfff Memory Mapped File Readable, Writable, Executable False False False
advapi32.dll 0x7ffb673a0000 0x7ffb67445fff Memory Mapped File Readable, Writable, Executable False False False
msctf.dll 0x7ffb67450000 0x7ffb675abfff Memory Mapped File Readable, Writable, Executable False False False
private_0x00007ffb675b0000 0x7ffb675b0000 0x7ffb675bffff Private Memory Readable, Writable, Executable True False False
sechost.dll 0x7ffb675c0000 0x7ffb6761afff Memory Mapped File Readable, Writable, Executable False False False
ntdll.dll 0x7ffb67620000 0x7ffb677e1fff Memory Mapped File Readable, Writable, Executable False False False
Process #22: runtimebroker.exe
(Host: 272, Network: 0)
+
Information Value
ID #22
File Name c:\windows\system32\runtimebroker.exe
Command Line C:\Windows\System32\RuntimeBroker.exe -Embedding
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:02:05, Reason: Injection
Unmonitor End Time: 00:02:20, Reason: Terminated by Timeout
Monitor Duration 00:00:15
OS Process Information
+
Information Value
PID 0x6e0
Parent PID 0x23c (c:\windows\system32\svchost.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username LHNIWSJ\CIiHmnxMn6Ps
Groups
  • LHNIWSJ\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Local account and member of Administrators group (USE_FOR_DENY_ONLY)
  • BUILTIN\Administrators (USE_FOR_DENY_ONLY)
  • BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Local account (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Logon Session 00000000:00018798 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID)
  • LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x B8C
0x B6C
0x B64
0x 9F0
0x 848
0x 83C
0x 838
0x 4FC
0x 5B4
0x 4CC
0x B2C
0x 99C
Region
+
Name Start VA End VA Type Permissions Monitored Dump YARA Match Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False
pagefile_0x000000fa39370000 0xfa39370000 0xfa3937ffff Pagefile Backed Memory Readable, Writable True False False
private_0x000000fa39380000 0xfa39380000 0xfa39380fff Private Memory Readable, Writable True False False
pagefile_0x000000fa39390000 0xfa39390000 0xfa393a3fff Pagefile Backed Memory Readable True False False
private_0x000000fa393b0000 0xfa393b0000 0xfa3942ffff Private Memory Readable, Writable True False False
pagefile_0x000000fa39430000 0xfa39430000 0xfa39433fff Pagefile Backed Memory Readable True False False
pagefile_0x000000fa39440000 0xfa39440000 0xfa39441fff Pagefile Backed Memory Readable True False False
private_0x000000fa39450000 0xfa39450000 0xfa39451fff Private Memory Readable, Writable True False False
locale.nls 0xfa39460000 0xfa3951dfff Memory Mapped File Readable False False False
private_0x000000fa39520000 0xfa39520000 0xfa39520fff Private Memory Readable, Writable True False False
pagefile_0x000000fa39530000 0xfa39530000 0xfa39530fff Pagefile Backed Memory Readable True False False
pagefile_0x000000fa39540000 0xfa39540000 0xfa39540fff Pagefile Backed Memory Readable True False False
private_0x000000fa39550000 0xfa39550000 0xfa39556fff Private Memory Readable, Writable True False False
private_0x000000fa39560000 0xfa39560000 0xfa395dffff Private Memory Readable, Writable True False False
pagefile_0x000000fa395e0000 0xfa395e0000 0xfa395e2fff Pagefile Backed Memory Readable True False False
pagefile_0x000000fa395f0000 0xfa395f0000 0xfa395f0fff Pagefile Backed Memory Readable, Writable True False False
private_0x000000fa39600000 0xfa39600000 0xfa396fffff Private Memory Readable, Writable True False False
private_0x000000fa39700000 0xfa39700000 0xfa3977ffff Private Memory Readable, Writable True False False
private_0x000000fa39780000 0xfa39780000 0xfa397fffff Private Memory Readable, Writable True False False
private_0x000000fa39800000 0xfa39800000 0xfa3987ffff Private Memory Readable, Writable True False False
pagefile_0x000000fa39880000 0xfa39880000 0xfa39880fff Pagefile Backed Memory Readable, Writable True False False
private_0x000000fa39890000 0xfa39890000 0xfa39896fff Private Memory Readable, Writable True False False
pagefile_0x000000fa398a0000 0xfa398a0000 0xfa398c9fff Pagefile Backed Memory Readable, Writable True False False
private_0x000000fa398d0000 0xfa398d0000 0xfa398d0fff Private Memory Readable, Writable, Executable True False False
private_0x000000fa398e0000 0xfa398e0000 0xfa398e8fff Private Memory Readable, Writable True False False
private_0x000000fa398f0000 0xfa398f0000 0xfa398f1fff Private Memory Readable, Writable True False False
private_0x000000fa39900000 0xfa39900000 0xfa399fffff Private Memory Readable, Writable True False False
pagefile_0x000000fa39a00000 0xfa39a00000 0xfa39b87fff Pagefile Backed Memory Readable True False False
pagefile_0x000000fa39b90000 0xfa39b90000 0xfa39d10fff Pagefile Backed Memory Readable True False False
pagefile_0x000000fa39d20000 0xfa39d20000 0xfa3b11ffff Pagefile Backed Memory Readable True False False
sortdefault.nls 0xfa3b120000 0xfa3b456fff Memory Mapped File Readable False False False
private_0x000000fa3b460000 0xfa3b460000 0xfa3b4dffff Private Memory Readable, Writable True False False
private_0x000000fa3b4e0000 0xfa3b4e0000 0xfa3b55ffff Private Memory Readable, Writable True False False
private_0x000000fa3b590000 0xfa3b590000 0xfa3b596fff Private Memory Readable, Writable True False False
private_0x000000fa3b600000 0xfa3b600000 0xfa3b6fffff Private Memory Readable, Writable True False False
private_0x000000fa3b700000 0xfa3b700000 0xfa3b7fffff Private Memory Readable, Writable True False False
private_0x000000fa3b800000 0xfa3b800000 0xfa3b87ffff Private Memory Readable, Writable True False False
private_0x000000fa3b880000 0xfa3b880000 0xfa3b8fffff Private Memory Readable, Writable True False False
private_0x000000fa3b900000 0xfa3b900000 0xfa3b97ffff Private Memory Readable, Writable True False False
private_0x000000fa3b980000 0xfa3b980000 0xfa3b9fffff Private Memory Readable, Writable True False False
pagefile_0x000000fa3ba00000 0xfa3ba00000 0xfa3ba91fff Pagefile Backed Memory Readable, Writable, Executable True False False
private_0x000000fa3baa0000 0xfa3baa0000 0xfa3bc9ffff Private Memory Readable, Writable True False False
private_0x000000fa3bb00000 0xfa3bb00000 0xfa3bbfffff Private Memory Readable, Writable True False False
private_0x000000fa3bc00000 0xfa3bc00000 0xfa3bdfffff Private Memory Readable, Writable True False False
private_0x000000fa3bc00000 0xfa3bc00000 0xfa3bcfffff Private Memory Readable, Writable True False False
private_0x000000fa3bd00000 0xfa3bd00000 0xfa3befffff Private Memory Readable, Writable True False False
private_0x000000fa3bd00000 0xfa3bd00000 0xfa3bdfffff Private Memory Readable, Writable True False False
private_0x000000fa3be00000 0xfa3be00000 0xfa3bffffff Private Memory Readable, Writable True False False
private_0x000000fa3be00000 0xfa3be00000 0xfa3befffff Private Memory Readable, Writable True False False
pagefile_0x00007df5ff7f0000 0x7df5ff7f0000 0x7ff5ff7effff Pagefile Backed Memory - True False False
ntoskrnl.exe 0x7ff644bc0000 0x7ff645411fff Memory Mapped File Readable, Writable, Executable False False False
private_0x00007ff67ce16000 0x7ff67ce16000 0x7ff67ce17fff Private Memory Readable, Writable True False False
private_0x00007ff67ce18000 0x7ff67ce18000 0x7ff67ce19fff Private Memory Readable, Writable True False False
private_0x00007ff67ce1a000 0x7ff67ce1a000 0x7ff67ce1bfff Private Memory Readable, Writable True False False
private_0x00007ff67ce1c000 0x7ff67ce1c000 0x7ff67ce1dfff Private Memory Readable, Writable True False False
private_0x00007ff67ce1e000 0x7ff67ce1e000 0x7ff67ce1ffff Private Memory Readable, Writable True False False
pagefile_0x00007ff67ce20000 0x7ff67ce20000 0x7ff67cf1ffff Pagefile Backed Memory Readable True False False
pagefile_0x00007ff67cf20000 0x7ff67cf20000 0x7ff67cf42fff Pagefile Backed Memory Readable True False False
private_0x00007ff67cf43000 0x7ff67cf43000 0x7ff67cf44fff Private Memory Readable, Writable True False False
private_0x00007ff67cf45000 0x7ff67cf45000 0x7ff67cf46fff Private Memory Readable, Writable True False False
private_0x00007ff67cf47000 0x7ff67cf47000 0x7ff67cf48fff Private Memory Readable, Writable True False False
private_0x00007ff67cf49000 0x7ff67cf49000 0x7ff67cf4afff Private Memory Readable, Writable True False False
private_0x00007ff67cf4b000 0x7ff67cf4b000 0x7ff67cf4cfff Private Memory Readable, Writable True False False
private_0x00007ff67cf4d000 0x7ff67cf4d000 0x7ff67cf4efff Private Memory Readable, Writable True False False
private_0x00007ff67cf4f000 0x7ff67cf4f000 0x7ff67cf4ffff Private Memory Readable, Writable True False False
runtimebroker.exe 0x7ff67d5a0000 0x7ff67d5b5fff Memory Mapped File Readable, Writable, Executable False False False
windows.networking.hostname.dll 0x7ffb525e0000 0x7ffb52617fff Memory Mapped File Readable, Writable, Executable False False False
authbroker.dll 0x7ffb530d0000 0x7ffb530f5fff Memory Mapped File Readable, Writable, Executable False False False
msauserext.dll 0x7ffb53100000 0x7ffb53119fff Memory Mapped File Readable, Writable, Executable False False False
windows.security.authentication.onlineid.dll 0x7ffb53190000 0x7ffb53242fff Memory Mapped File Readable, Writable, Executable False False False
windows.internal.shell.broker.dll 0x7ffb53f10000 0x7ffb53fa1fff Memory Mapped File Readable, Writable, Executable False False False
wwapi.dll 0x7ffb55310000 0x7ffb55325fff Memory Mapped File Readable, Writable, Executable False False False
windows.networking.connectivity.dll 0x7ffb553a0000 0x7ffb5544bfff Memory Mapped File Readable, Writable, Executable False False False
tokenbroker.dll 0x7ffb574c0000 0x7ffb57585fff Memory Mapped File Readable, Writable, Executable False False False
execmodelproxy.dll 0x7ffb57770000 0x7ffb57784fff Memory Mapped File Readable, Writable, Executable False False False
execmodelclient.dll 0x7ffb57990000 0x7ffb579d2fff Memory Mapped File Readable, Writable, Executable False False False
actxprxy.dll 0x7ffb57bf0000 0x7ffb58059fff Memory Mapped File Readable, Writable, Executable False False False
wininet.dll 0x7ffb58370000 0x7ffb58616fff Memory Mapped File Readable, Writable, Executable False False False
idstore.dll 0x7ffb58b80000 0x7ffb58ba6fff Memory Mapped File Readable, Writable, Executable False False False
npmproxy.dll 0x7ffb59af0000 0x7ffb59afdfff Memory Mapped File Readable, Writable, Executable False False False
wlanapi.dll 0x7ffb5a1a0000 0x7ffb5a1fefff Memory Mapped File Readable, Writable, Executable False False False
netprofm.dll 0x7ffb5a510000 0x7ffb5a54efff Memory Mapped File Readable, Writable, Executable False False False
windows.ui.immersive.dll 0x7ffb5b850000 0x7ffb5ba06fff Memory Mapped File Readable, Writable, Executable False False False
mrmcorer.dll 0x7ffb5ce30000 0x7ffb5cf3efff Memory Mapped File Readable, Writable, Executable False False False
wintypes.dll 0x7ffb60640000 0x7ffb60770fff Memory Mapped File Readable, Writable, Executable False False False
samlib.dll 0x7ffb60780000 0x7ffb6079bfff Memory Mapped File Readable, Writable, Executable False False False
samcli.dll 0x7ffb60b80000 0x7ffb60b97fff Memory Mapped File Readable, Writable, Executable False False False
propsys.dll 0x7ffb60c60000 0x7ffb60de2fff Memory Mapped File Readable, Writable, Executable False False False
mmdevapi.dll 0x7ffb60df0000 0x7ffb60e61fff Memory Mapped File Readable, Writable, Executable False False False
wkscli.dll 0x7ffb60f50000 0x7ffb60f65fff Memory Mapped File Readable, Writable, Executable False False False
winnsi.dll 0x7ffb61880000 0x7ffb6188afff Memory Mapped File Readable, Writable, Executable False False False
iphlpapi.dll 0x7ffb618a0000 0x7ffb618d7fff Memory Mapped File Readable, Writable, Executable False False False
wtsapi32.dll 0x7ffb61d70000 0x7ffb61d82fff Memory Mapped File Readable, Writable, Executable False False False
sppc.dll 0x7ffb61e00000 0x7ffb61e24fff Memory Mapped File Readable, Writable, Executable False False False
slc.dll 0x7ffb61e30000 0x7ffb61e55fff Memory Mapped File Readable, Writable, Executable False False False
coremessaging.dll 0x7ffb62300000 0x7ffb623c7fff Memory Mapped File Readable, Writable, Executable False False False
uxtheme.dll 0x7ffb62920000 0x7ffb629b5fff Memory Mapped File Readable, Writable, Executable False False False
devobj.dll 0x7ffb629c0000 0x7ffb629e6fff Memory Mapped File Readable, Writable, Executable False False False
twinapi.appcore.dll 0x7ffb62b00000 0x7ffb62bedfff Memory Mapped File Readable, Writable, Executable False False False
netutils.dll 0x7ffb632a0000 0x7ffb632abfff Memory Mapped File Readable, Writable, Executable False False False
rsaenh.dll 0x7ffb63510000 0x7ffb63542fff Memory Mapped File Readable, Writable, Executable False False False
userenv.dll 0x7ffb63600000 0x7ffb6361efff Memory Mapped File Readable, Writable, Executable False False False
cryptsp.dll 0x7ffb63920000 0x7ffb63936fff Memory Mapped File Readable, Writable, Executable False False False
cryptbase.dll 0x7ffb63a90000 0x7ffb63a9afff Memory Mapped File Readable, Writable, Executable False False False
sspicli.dll 0x7ffb63c70000 0x7ffb63c9bfff Memory Mapped File Readable, Writable, Executable False False False
bcrypt.dll 0x7ffb63e70000 0x7ffb63e97fff Memory Mapped File Readable, Writable, Executable False False False
bcryptprimitives.dll 0x7ffb63ea0000 0x7ffb63f0afff Memory Mapped File Readable, Writable, Executable False False False
sxs.dll 0x7ffb63f10000 0x7ffb63fa7fff Memory Mapped File Readable, Writable, Executable False False False
profapi.dll 0x7ffb64050000 0x7ffb64062fff Memory Mapped File Readable, Writable, Executable False False False
powrprof.dll 0x7ffb64070000 0x7ffb640b9fff Memory Mapped File Readable, Writable, Executable False False False
kernel.appcore.dll 0x7ffb640c0000 0x7ffb640cefff Memory Mapped File Readable, Writable, Executable False False False
msasn1.dll 0x7ffb640d0000 0x7ffb640e0fff Memory Mapped File Readable, Writable, Executable False False False
cfgmgr32.dll 0x7ffb640f0000 0x7ffb64133fff Memory Mapped File Readable, Writable, Executable False False False
windows.storage.dll 0x7ffb64140000 0x7ffb64767fff Memory Mapped File Readable, Writable, Executable False False False
crypt32.dll 0x7ffb64770000 0x7ffb64930fff Memory Mapped File Readable, Writable, Executable False False False
kernelbase.dll 0x7ffb64a50000 0x7ffb64c2cfff Memory Mapped File Readable, Writable, Executable False False False
shcore.dll 0x7ffb64c30000 0x7ffb64ce2fff Memory Mapped File Readable, Writable, Executable False False False
oleaut32.dll 0x7ffb64cf0000 0x7ffb64dadfff Memory Mapped File Readable, Writable, Executable False False False
gdi32.dll 0x7ffb64f80000 0x7ffb65104fff Memory Mapped File Readable, Writable, Executable False False False
shell32.dll 0x7ffb65110000 0x7ffb66634fff Memory Mapped File Readable, Writable, Executable False False False
rpcrt4.dll 0x7ffb66640000 0x7ffb66765fff Memory Mapped File Readable, Writable, Executable False False False
psapi.dll 0x7ffb66770000 0x7ffb66777fff Memory Mapped File Readable, Writable, Executable False False False
imm32.dll 0x7ffb66780000 0x7ffb667b5fff Memory Mapped File Readable, Writable, Executable False False False
user32.dll 0x7ffb667c0000 0x7ffb6690dfff Memory Mapped File Readable, Writable, Executable False False False
shlwapi.dll 0x7ffb66b30000 0x7ffb66b80fff Memory Mapped File Readable, Writable, Executable False False False
combase.dll 0x7ffb66bf0000 0x7ffb66e6bfff Memory Mapped File Readable, Writable, Executable False False False
ole32.dll 0x7ffb66e70000 0x7ffb66fb0fff Memory Mapped File Readable, Writable, Executable False False False
clbcatq.dll 0x7ffb67020000 0x7ffb670c4fff Memory Mapped File Readable, Writable, Executable False False False
kernel32.dll 0x7ffb670d0000 0x7ffb6717cfff Memory Mapped File Readable, Writable, Executable False False False
msvcrt.dll 0x7ffb672d0000 0x7ffb6736cfff Memory Mapped File Readable, Writable, Executable False False False
nsi.dll 0x7ffb67390000 0x7ffb67397fff Memory Mapped File Readable, Writable, Executable False False False
advapi32.dll 0x7ffb673a0000 0x7ffb67445fff Memory Mapped File Readable, Writable, Executable False False False
msctf.dll 0x7ffb67450000 0x7ffb675abfff Memory Mapped File Readable, Writable, Executable False False False
sechost.dll 0x7ffb675c0000 0x7ffb6761afff Memory Mapped File Readable, Writable, Executable False False False
ntdll.dll 0x7ffb67620000 0x7ffb677e1fff Memory Mapped File Readable, Writable, Executable False False False
Injection Information
+
Injection Type Source Process Source Os Thread ID Injection Info Success Count Logfile
Create Remote Thread #19: c:\windows\explorer.exe 0x9e4 address = 0x7ffb67629fa0 True 1
Fn
Modify Memory #19: c:\windows\explorer.exe 0x9e4 address = 0x7ffb67629fa0, size = 4 True 2
Fn
Data
Modify Memory #19: c:\windows\explorer.exe 0x9e4 address = 0xfa3ba00000, size = 598016 True 1
Fn
Modify Memory #19: c:\windows\explorer.exe 0x9e4 address = 0xfa398d0000, size = 792 True 1
Fn
Data
Modify Control Flow #19: c:\windows\explorer.exe 0x9e4 os_tid = 0xb2c, address = 0x0 True 1
Fn
Host Behavior
Registry (6)
+
Operation Key Additional Information Success Count Logfile
Create Key HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\07430283-BA24-D1EC-FC2B-8E95F08FA299 - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\07430283-BA24-D1EC-FC2B-8E95F08FA299 - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\07430283-BA24-D1EC-FC2B-8E95F08FA299 - True 1
Fn
Read Value HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\07430283-BA24-D1EC-FC2B-8E95F08FA299 value_name = Ini, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\07430283-BA24-D1EC-FC2B-8E95F08FA299 value_name = Client, type = REG_BINARY True 1
Fn
Data
Read Value HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\07430283-BA24-D1EC-FC2B-8E95F08FA299 value_name = Scr, type = REG_NONE False 1
Fn
Process (67)
+
Operation Process Additional Information Success Count Logfile
Get Info c:\windows\system32\runtimebroker.exe type = PROCESS_BASIC_INFORMATION True 67
Fn
Module (190)
+
Operation Module Additional Information Success Count Logfile
Load ntdll.dll base_address = 0x0 True 1
Fn
Load KERNEL32.dll base_address = 0x0 True 1
Fn
Load OLEAUT32.dll base_address = 0x0 True 1
Fn
Load ADVAPI32.dll base_address = 0x7ffb673a0000 True 1
Fn
Load SHLWAPI.dll base_address = 0x7ffb66b30000 True 1
Fn
Load USER32.dll base_address = 0x7ffb667c0000 True 1
Fn
Load PSAPI.DLL base_address = 0x7ffb66770000 True 1
Fn
Get Handle c:\windows\system32\kernel32.dll base_address = 0x7ffb670d0000 True 6
Fn
Get Handle c:\windows\system32\ntdll.dll base_address = 0x7ffb67620000 True 2
Fn
Get Handle c:\windows\system32\kernelbase.dll base_address = 0x7ffb64a50000 True 1
Fn
Get Handle c:\windows\system32\advapi32.dll base_address = 0x7ffb673a0000 True 2
Fn
Get Filename OLEAUT32.dll process_name = c:\windows\system32\runtimebroker.exe, file_name_orig = C:\Windows\System32\RuntimeBroker.exe, size = 260 True 1
Fn
Get Address - function = _snprintf, ordinal = 0, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address - function = sprintf, ordinal = 0, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address - function = ZwOpenProcess, ordinal = 0, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address - function = ZwOpenProcessToken, ordinal = 0, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address - function = ZwClose, ordinal = 0, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address - function = ZwQueryInformationToken, ordinal = 0, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address - function = strcpy, ordinal = 0, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address - function = NtQuerySystemInformation, ordinal = 0, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address - function = RtlNtStatusToDosError, ordinal = 0, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address - function = ZwQueryInformationProcess, ordinal = 0, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address - function = memcpy, ordinal = 0, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address - function = NtUnmapViewOfSection, ordinal = 0, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address - function = _wcsupr, ordinal = 0, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address - function = _strupr, ordinal = 0, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address - function = memmove, ordinal = 0, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address - function = memset, ordinal = 0, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address - function = wcscpy, ordinal = 0, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address - function = ZwQueryKey, ordinal = 0, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address - function = RtlUpcaseUnicodeString, ordinal = 0, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address - function = RtlFreeUnicodeString, ordinal = 0, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address - function = wcstombs, ordinal = 0, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address - function = RtlAdjustPrivilege, ordinal = 0, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address - function = mbstowcs, ordinal = 0, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address - function = RtlImageNtHeader, ordinal = 0, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address - function = NtMapViewOfSection, ordinal = 0, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address - function = NtCreateSection, ordinal = 0, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address - function = __C_specific_handler, ordinal = 0, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address - function = __chkstk, ordinal = 0, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address - function = CreateFileMappingA, ordinal = 0, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address - function = SetFilePointerEx, ordinal = 0, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address - function = QueueUserWorkItem, ordinal = 0, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address - function = VirtualProtectEx, ordinal = 0, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address - function = GetComputerNameW, ordinal = 0, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address - function = ExpandEnvironmentStringsA, ordinal = 0, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address - function = FindNextFileA, ordinal = 0, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address - function = CompareFileTime, ordinal = 0, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address - function = FindFirstFileA, ordinal = 0, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address - function = GetFileTime, ordinal = 0, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address - function = GetCurrentProcessId, ordinal = 0, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address - function = QueryPerformanceCounter, ordinal = 0, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address - function = GetModuleFileNameA, ordinal = 0, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address - function = CreateDirectoryA, ordinal = 0, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address - function = GetLastError, ordinal = 0, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address - function = HeapFree, ordinal = 0, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address - function = RemoveDirectoryA, ordinal = 0, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address - function = CloseHandle, ordinal = 0, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address - function = LoadLibraryA, ordinal = 0, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address - function = CreateFileA, ordinal = 0, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address - function = DeleteFileA, ordinal = 0, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address - function = lstrcpyA, ordinal = 0, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address - function = lstrlenA, ordinal = 0, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address - function = lstrcatA, ordinal = 0, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address - function = WriteFile, ordinal = 0, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address - function = HeapAlloc, ordinal = 0, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address - function = HeapDestroy, ordinal = 0, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address - function = HeapCreate, ordinal = 0, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address - function = SetEvent, ordinal = 0, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address - function = HeapReAlloc, ordinal = 0, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address - function = GetSystemTimeAsFileTime, ordinal = 0, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address - function = WaitForSingleObject, ordinal = 0, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address - function = SuspendThread, ordinal = 0, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address - function = OpenProcess, ordinal = 0, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address - function = ResumeThread, ordinal = 0, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address - function = lstrcpyW, ordinal = 0, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address - function = lstrcmpiW, ordinal = 0, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address - function = GetModuleHandleA, ordinal = 0, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address - function = CreateThread, ordinal = 0, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address - function = CreateFileW, ordinal = 0, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address - function = SwitchToThread, ordinal = 0, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address - function = lstrcatW, ordinal = 0, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address - function = Sleep, ordinal = 0, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address - function = GetTickCount, ordinal = 0, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address - function = SetWaitableTimer, ordinal = 0, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address - function = CopyFileW, ordinal = 0, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address - function = GetCurrentThreadId, ordinal = 0, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address - function = GetCurrentThread, ordinal = 0, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address - function = DuplicateHandle, ordinal = 0, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address - function = lstrlenW, ordinal = 0, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address - function = CreateEventA, ordinal = 0, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address - function = GetWindowsDirectoryA, ordinal = 0, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address - function = DeleteFileW, ordinal = 0, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address - function = CreateDirectoryW, ordinal = 0, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address - function = GetTempPathA, ordinal = 0, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address - function = lstrcmpiA, ordinal = 0, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address - function = WaitForMultipleObjects, ordinal = 0, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address - function = lstrcmpA, ordinal = 0, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address - function = ResetEvent, ordinal = 0, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address - function = CreateMutexA, ordinal = 0, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address - function = OpenWaitableTimerA, ordinal = 0, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address - function = MapViewOfFile, ordinal = 0, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address - function = OpenMutexA, ordinal = 0, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address - function = UnmapViewOfFile, ordinal = 0, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address - function = ReleaseMutex, ordinal = 0, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address - function = GetVersionExA, ordinal = 0, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address - function = CreateWaitableTimerA, ordinal = 0, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address - function = SetLastError, ordinal = 0, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address - function = InitializeCriticalSection, ordinal = 0, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address - function = EnterCriticalSection, ordinal = 0, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address - function = LeaveCriticalSection, ordinal = 0, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address - function = VirtualAlloc, ordinal = 0, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address - function = UnregisterWait, ordinal = 0, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address - function = VirtualProtect, ordinal = 0, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address - function = RegisterWaitForSingleObject, ordinal = 0, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address - function = TlsAlloc, ordinal = 0, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address - function = TlsGetValue, ordinal = 0, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address - function = LoadLibraryExW, ordinal = 0, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address - function = TlsSetValue, ordinal = 0, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address - function = GetProcAddress, ordinal = 0, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address - function = GetDriveTypeW, ordinal = 0, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address - function = WideCharToMultiByte, ordinal = 0, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address - function = GetLogicalDriveStringsW, ordinal = 0, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address - function = OpenFileMappingA, ordinal = 0, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address - function = GetExitCodeProcess, ordinal = 0, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address - function = LocalFree, ordinal = 0, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address - function = CreateProcessA, ordinal = 0, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address - function = GetFileSize, ordinal = 0, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address - function = lstrcpynA, ordinal = 0, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address - function = Thread32First, ordinal = 0, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address - function = CreateToolhelp32Snapshot, ordinal = 0, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address - function = QueueUserAPC, ordinal = 0, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address - function = OpenThread, ordinal = 0, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address - function = Thread32Next, ordinal = 0, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address - function = ConnectNamedPipe, ordinal = 0, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address - function = GetOverlappedResult, ordinal = 0, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address - function = CancelIo, ordinal = 0, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address - function = DisconnectNamedPipe, ordinal = 0, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address - function = FlushFileBuffers, ordinal = 0, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address - function = CallNamedPipeA, ordinal = 0, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address - function = CreateNamedPipeA, ordinal = 0, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address - function = GetSystemTime, ordinal = 0, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address - function = WaitNamedPipeA, ordinal = 0, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address - function = ReadFile, ordinal = 0, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address - function = SleepEx, ordinal = 0, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address - function = AddVectoredExceptionHandler, ordinal = 0, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address - function = RemoveVectoredExceptionHandler, ordinal = 0, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address - function = OpenEventA, ordinal = 0, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address - function = LocalAlloc, ordinal = 0, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address - function = FreeLibrary, ordinal = 0, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address - function = RaiseException, ordinal = 0, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address - function = VirtualFree, ordinal = 0, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address - function = GetModuleFileNameW, ordinal = 0, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address - function = GetVersion, ordinal = 0, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address - function = GetLocalTime, ordinal = 0, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address - function = QueryPerformanceFrequency, ordinal = 0, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address - function = DeleteCriticalSection, ordinal = 0, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address - function = GetTempFileNameA, ordinal = 0, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address - function = FindNextFileW, ordinal = 0, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address - function = SetEndOfFile, ordinal = 0, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address - function = SetFilePointer, ordinal = 0, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address - function = FindFirstFileW, ordinal = 0, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address - function = RemoveDirectoryW, ordinal = 0, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address - function = GetFileAttributesW, ordinal = 0, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address - function = ExpandEnvironmentStringsW, ordinal = 0, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address - function = FindClose, ordinal = 0, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address - function = 0, ordinal = 9, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address - function = 0, ordinal = 6, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address - function = 0, ordinal = 2, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address - function = 0, ordinal = 8, address_out = 0xfa3b9ffb60 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = IsWow64Process, address_out = 0x7ffb670ee960 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = ConvertStringSecurityDescriptorToSecurityDescriptorA, address_out = 0x7ffb673bd610 True 1
Fn
Get Address c:\windows\system32\shlwapi.dll function = StrRChrA, address_out = 0x7ffb66b44dd0 True 1
Fn
Get Address c:\windows\system32\user32.dll function = wsprintfA, address_out = 0x7ffb667e2610 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = GetUserNameA, address_out = 0x7ffb673cec40 True 1
Fn
Get Address c:\windows\system32\psapi.dll function = EnumProcessModules, address_out = 0x7ffb66771040 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegOpenKeyA, address_out = 0x7ffb673bb9e0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegQueryValueExA, address_out = 0x7ffb673b7dd0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegCloseKey, address_out = 0x7ffb673b72e0 True 1
Fn
Get Address c:\windows\system32\shlwapi.dll function = StrToIntExA, address_out = 0x7ffb66b44e70 True 1
Fn
Get Address c:\windows\system32\shlwapi.dll function = StrChrA, address_out = 0x7ffb66b44cc0 True 1
Fn
Get Address c:\windows\system32\shlwapi.dll function = StrTrimA, address_out = 0x7ffb66b44e80 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegCreateKeyA, address_out = 0x7ffb673e6dc0 True 1
Fn
System (5)
+
Operation Additional Information Success Count Logfile
Sleep duration = -1 (infinite) False 1
Fn
Get Time type = System Time, time = 2017-12-11 05:44:41 (UTC) True 2
Fn
Get Info type = Operating System True 2
Fn
Mutex (1)
+
Operation Additional Information Success Count Logfile
Create mutex_name = {67DC9F31-9A2E-31AD-DC8B-6EF5D0EF82F9} True 1
Fn
Function Logfile
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".


    
Screenshot
Expand-Icon
Exit-Icon
icon_left
icon_left
image