Suspected Zeus Panda Banking Trojan | Grouped Behavior
Try VMRay Analyzer
Monitored Processes
Behavior Information - Grouped by Category
Process #1: zeuspanda.vir.exe
(Host: 575, Network: 0)
+
Information Value
ID #1
File Name c:\users\ciihmnxmn6ps\desktop\zeuspanda.vir.exe
Command Line "C:\Users\CIiHmnxMn6Ps\Desktop\zeuspanda.vir.exe"
Initial Working Directory C:\Users\CIiHmnxMn6Ps\Desktop\
Monitor Start Time: 00:00:27, Reason: Analysis Target
Unmonitor End Time: 00:15:27, Reason: Terminated by Timeout
Monitor Duration 00:15:00
OS Process Information
+
Information Value
PID 0xfc0
Parent PID 0x728 (c:\windows\explorer.exe)
Is Created or Modified Executable True
Integrity Level High (Elevated)
Username LHNIWSJ\CIiHmnxMn6Ps
Groups
  • LHNIWSJ\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Local account and member of Administrators group (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • BUILTIN\Administrators (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, OWNER)
  • BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Local account (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Logon Session 00000000:00013d92 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID)
  • LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x FC4
0x FD0
0x FD4
0x 95C
Region
+
Name Start VA End VA Type Permissions Monitored Dump YARA Match Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True True False
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False
private_0x0000000000020000 0x00020000 0x00023fff Private Memory Readable, Writable True True False
private_0x0000000000030000 0x00030000 0x00031fff Private Memory Readable, Writable True True False
private_0x0000000000030000 0x00030000 0x00030fff Private Memory Readable, Writable True True False
pagefile_0x0000000000040000 0x00040000 0x00053fff Pagefile Backed Memory Readable True False False
private_0x0000000000060000 0x00060000 0x0009ffff Private Memory Readable, Writable True True False
private_0x00000000000a0000 0x000a0000 0x0019ffff Private Memory Readable, Writable True True False
pagefile_0x00000000001a0000 0x001a0000 0x001a3fff Pagefile Backed Memory Readable True False False
pagefile_0x00000000001b0000 0x001b0000 0x001b0fff Pagefile Backed Memory Readable True False False
private_0x00000000001c0000 0x001c0000 0x001c1fff Private Memory Readable, Writable True True False
private_0x00000000001d0000 0x001d0000 0x0020ffff Private Memory Readable, Writable True True False
private_0x0000000000210000 0x00210000 0x0024ffff Private Memory Readable, Writable True True False
private_0x0000000000250000 0x00250000 0x00250fff Private Memory Readable, Writable True True False
pagefile_0x0000000000260000 0x00260000 0x00260fff Pagefile Backed Memory Readable, Writable True False False
private_0x0000000000270000 0x00270000 0x00276fff Private Memory Readable, Writable True True False
private_0x0000000000280000 0x00280000 0x0028ffff Private Memory Readable, Writable True True False
locale.nls 0x00290000 0x0034dfff Memory Mapped File Readable False False False
private_0x0000000000350000 0x00350000 0x003effff Private Memory Readable, Writable True True False
private_0x0000000000350000 0x00350000 0x0038ffff Private Memory Readable, Writable True True False
c_1256.nls 0x00350000 0x00360fff Memory Mapped File Readable False False False
c_1251.nls 0x00370000 0x00380fff Memory Mapped File Readable False False False
c_1254.nls 0x00390000 0x003a0fff Memory Mapped File Readable False False False
c_1250.nls 0x003b0000 0x003c0fff Memory Mapped File Readable False False False
private_0x00000000003d0000 0x003d0000 0x003d3fff Private Memory Readable, Writable True True False
private_0x00000000003e0000 0x003e0000 0x003effff Private Memory Readable, Writable True True False
private_0x00000000003f0000 0x003f0000 0x004effff Private Memory Readable, Writable True True False
private_0x00000000004f0000 0x004f0000 0x005effff Private Memory Readable, Writable True True False
private_0x00000000005f0000 0x005f0000 0x006effff Private Memory Readable, Writable True True False
pagefile_0x00000000006f0000 0x006f0000 0x00877fff Pagefile Backed Memory Readable True False False
c_1253.nls 0x00880000 0x00890fff Memory Mapped File Readable False False False
c_1257.nls 0x008a0000 0x008b0fff Memory Mapped File Readable False False False
c_1255.nls 0x008c0000 0x008d0fff Memory Mapped File Readable False False False
c_932.nls 0x008e0000 0x00907fff Memory Mapped File Readable False False False
private_0x0000000000910000 0x00910000 0x0091ffff Private Memory Readable, Writable True True False
pagefile_0x0000000000910000 0x00910000 0x00917fff Pagefile Backed Memory Readable, Writable True False False
pagefile_0x0000000000910000 0x00910000 0x00910fff Pagefile Backed Memory Readable True False False
private_0x0000000000920000 0x00920000 0x0092ffff Private Memory Readable, Writable True True False
c_949.nls 0x00930000 0x00960fff Memory Mapped File Readable False False False
c_874.nls 0x00970000 0x00980fff Memory Mapped File Readable False False False
private_0x0000000000990000 0x00990000 0x0099ffff Private Memory Readable, Writable True True False
pagefile_0x00000000009a0000 0x009a0000 0x00b20fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000b30000 0x00b30000 0x01f2ffff Pagefile Backed Memory Readable True False False
private_0x0000000001f30000 0x01f30000 0x0202ffff Private Memory Readable, Writable True True False
c_1258.nls 0x02030000 0x02040fff Memory Mapped File Readable False False False
private_0x0000000002050000 0x02050000 0x0205ffff Private Memory Readable, Writable True True False
pagefile_0x0000000002060000 0x02060000 0x02551fff Pagefile Backed Memory Readable, Writable True False False
sortdefault.nls 0x02560000 0x02896fff Memory Mapped File Readable False False False
private_0x00000000028a0000 0x028a0000 0x02a9ffff Private Memory Readable, Writable True True False
private_0x0000000002aa0000 0x02aa0000 0x02e9ffff Private Memory Readable, Writable True True False
private_0x0000000002ea0000 0x02ea0000 0x0369ffff Private Memory Readable, Writable True True False
private_0x00000000036a0000 0x036a0000 0x0379ffff Private Memory Readable, Writable True True False
private_0x00000000037a0000 0x037a0000 0x0476ffff Private Memory Readable, Writable True False False
c_936.nls 0x04770000 0x047a0fff Memory Mapped File Readable False False False
c_950.nls 0x047b0000 0x047e0fff Memory Mapped File Readable False False False
pagefile_0x00000000047f0000 0x047f0000 0x047f0fff Pagefile Backed Memory Readable True False False
private_0x0000000004800000 0x04800000 0x04887fff Private Memory Readable, Writable, Executable True True False
private_0x0000000004890000 0x04890000 0x0498ffff Private Memory Readable, Writable True True False
private_0x0000000004890000 0x04890000 0x048a5fff Private Memory Readable, Writable True True False
private_0x0000000004890000 0x04890000 0x0490ffff Private Memory Readable, Writable True True False
private_0x0000000004910000 0x04910000 0x04910fff Private Memory Readable, Writable, Executable True True False
private_0x0000000004910000 0x04910000 0x0491ffff Private Memory Readable, Writable True True False
private_0x0000000004910000 0x04910000 0x04925fff Private Memory Readable, Writable True True False
pagefile_0x0000000004910000 0x04910000 0x04917fff Pagefile Backed Memory Readable, Writable True False False
private_0x0000000004910000 0x04910000 0x04925fff Private Memory Readable, Writable True True False
private_0x0000000004910000 0x04910000 0x04925fff Private Memory Readable, Writable True True False
private_0x0000000004910000 0x04910000 0x04925fff Private Memory Readable, Writable True True False
private_0x0000000004910000 0x04910000 0x04925fff Private Memory Readable, Writable True True False
private_0x0000000004910000 0x04910000 0x04925fff Private Memory Readable, Writable True True False
private_0x0000000004910000 0x04910000 0x04925fff Private Memory Readable, Writable True True False
private_0x0000000004910000 0x04910000 0x04925fff Private Memory Readable, Writable True True False
private_0x0000000004910000 0x04910000 0x04925fff Private Memory Readable, Writable True True False
private_0x0000000004910000 0x04910000 0x04925fff Private Memory Readable, Writable True True False
private_0x0000000004910000 0x04910000 0x04913fff Private Memory Readable, Writable True True False
private_0x0000000004920000 0x04920000 0x04982fff Private Memory Readable, Writable True True False
pagefile_0x0000000004930000 0x04930000 0x04937fff Pagefile Backed Memory Readable, Writable True False False
kernelbase.dll.mui 0x04990000 0x04a6efff Memory Mapped File Readable False False False
pagefile_0x0000000004a70000 0x04a70000 0x04e6ffff Pagefile Backed Memory Readable, Writable True False False
private_0x0000000004c10000 0x04c10000 0x04c9ffff Private Memory Readable, Writable True True False
zeuspanda.vir.exe 0x20c80000 0x20ce8fff Memory Mapped File Readable, Writable, Executable True True False
wow64cpu.dll 0x5c9f0000 0x5c9f7fff Memory Mapped File Readable, Writable, Executable False False False
wow64win.dll 0x5ca00000 0x5ca72fff Memory Mapped File Readable, Writable, Executable False False False
wow64.dll 0x5ca80000 0x5cacefff Memory Mapped File Readable, Writable, Executable False False False
ntmarta.dll 0x731f0000 0x73217fff Memory Mapped File Readable, Writable, Executable False False False
samlib.dll 0x73220000 0x73232fff Memory Mapped File Readable, Writable, Executable False False False
samcli.dll 0x73240000 0x73253fff Memory Mapped File Readable, Writable, Executable False False False
netutils.dll 0x73260000 0x73269fff Memory Mapped File Readable, Writable, Executable False False False
winnsi.dll 0x73270000 0x73277fff Memory Mapped File Readable, Writable, Executable False False False
srvcli.dll 0x73280000 0x7329bfff Memory Mapped File Readable, Writable, Executable False False False
wkscli.dll 0x732a0000 0x732affff Memory Mapped File Readable, Writable, Executable False False False
comctl32.dll 0x732b0000 0x73341fff Memory Mapped File Readable, Writable, Executable False False False
iphlpapi.dll 0x73350000 0x7337ffff Memory Mapped File Readable, Writable, Executable False False False
netapi32.dll 0x73380000 0x73392fff Memory Mapped File Readable, Writable, Executable False False False
rsaenh.dll 0x733b0000 0x733defff Memory Mapped File Readable, Writable, Executable False False False
cryptsp.dll 0x733e0000 0x733f2fff Memory Mapped File Readable, Writable, Executable False False False
uxtheme.dll 0x73430000 0x734a4fff Memory Mapped File Readable, Writable, Executable False False False
apphelp.dll 0x734b0000 0x73540fff Memory Mapped File Readable, Writable, Executable False False False
bcrypt.dll 0x73550000 0x7356afff Memory Mapped File Readable, Writable, Executable False False False
winspool.drv 0x73840000 0x738a6fff Memory Mapped File Readable, Writable, Executable False False False
secur32.dll 0x73c40000 0x73c49fff Memory Mapped File Readable, Writable, Executable False False False
bcryptprimitives.dll 0x74230000 0x74288fff Memory Mapped File Readable, Writable, Executable False False False
cryptbase.dll 0x74290000 0x74299fff Memory Mapped File Readable, Writable, Executable False False False
sspicli.dll 0x742a0000 0x742bdfff Memory Mapped File Readable, Writable, Executable False False False
clbcatq.dll 0x742c0000 0x74341fff Memory Mapped File Readable, Writable, Executable False False False
user32.dll 0x74500000 0x7463ffff Memory Mapped File Readable, Writable, Executable False False False
ole32.dll 0x74640000 0x74729fff Memory Mapped File Readable, Writable, Executable False False False
imm32.dll 0x74730000 0x7475afff Memory Mapped File Readable, Writable, Executable False False False
shell32.dll 0x74760000 0x75b1efff Memory Mapped File Readable, Writable, Executable False False False
msvcrt.dll 0x75b80000 0x75c3dfff Memory Mapped File Readable, Writable, Executable False False False
powrprof.dll 0x75c40000 0x75c83fff Memory Mapped File Readable, Writable, Executable False False False
advapi32.dll 0x75d40000 0x75dbafff Memory Mapped File Readable, Writable, Executable False False False
shlwapi.dll 0x75dc0000 0x75e03fff Memory Mapped File Readable, Writable, Executable False False False
coml2.dll 0x75e10000 0x75e67fff Memory Mapped File Readable, Writable, Executable False False False
rpcrt4.dll 0x75e70000 0x75f1bfff Memory Mapped File Readable, Writable, Executable False False False
kernelbase.dll 0x75f20000 0x76095fff Memory Mapped File Readable, Writable, Executable False False False
sechost.dll 0x760a0000 0x760e2fff Memory Mapped File Readable, Writable, Executable False False False
shcore.dll 0x76280000 0x7630cfff Memory Mapped File Readable, Writable, Executable False False False
oleaut32.dll 0x763b0000 0x76441fff Memory Mapped File Readable, Writable, Executable False False False
psapi.dll 0x76450000 0x76455fff Memory Mapped File Readable, Writable, Executable False False False
windows.storage.dll 0x764d0000 0x769acfff Memory Mapped File Readable, Writable, Executable False False False
gdi32.dll 0x769b0000 0x76afcfff Memory Mapped File Readable, Writable, Executable False False False
comdlg32.dll 0x76b00000 0x76bbdfff Memory Mapped File Readable, Writable, Executable False False False
kernel32.dll 0x76bc0000 0x76caffff Memory Mapped File Readable, Writable, Executable False False False
combase.dll 0x76cf0000 0x76ea9fff Memory Mapped File Readable, Writable, Executable False False False
kernel.appcore.dll 0x76eb0000 0x76ebbfff Memory Mapped File Readable, Writable, Executable False False False
nsi.dll 0x77040000 0x77046fff Memory Mapped File Readable, Writable, Executable False False False
profapi.dll 0x77050000 0x7705efff Memory Mapped File Readable, Writable, Executable False False False
msctf.dll 0x77070000 0x7718ffff Memory Mapped File Readable, Writable, Executable False False False
ntdll.dll 0x77190000 0x77308fff Memory Mapped File Readable, Writable, Executable False False False
sysmain.sdb 0x7fb20000 0x7feaffff Memory Mapped File Readable False False False
private_0x000000007fead000 0x7fead000 0x7feaffff Private Memory Readable, Writable True True False
pagefile_0x000000007feb0000 0x7feb0000 0x7ffaffff Pagefile Backed Memory Readable True False False
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory Readable True False False
private_0x000000007ffd5000 0x7ffd5000 0x7ffd7fff Private Memory Readable, Writable True True False
private_0x000000007ffd8000 0x7ffd8000 0x7ffdafff Private Memory Readable, Writable True True False
private_0x000000007ffdb000 0x7ffdb000 0x7ffddfff Private Memory Readable, Writable True True False
private_0x000000007ffde000 0x7ffde000 0x7ffdefff Private Memory Readable, Writable True True False
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory Readable, Writable True True False
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True True False
private_0x000000007fff0000 0x7fff0000 0x7ffb3d30ffff Private Memory Readable True False False
ntdll.dll 0x7ffb3d310000 0x7ffb3d4d1fff Memory Mapped File Readable, Writable, Executable False False False
private_0x00007ffb3d4d2000 0x7ffb3d4d2000 0x7ffffffeffff Private Memory Readable True False False
Created Files
+
Filename File Size Hash Values YARA Match Actions
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\containers.exe 395.00 KB (404480 bytes) MD5: c9522f83c60a595694b2e4c6657982d0
SHA1: 8011fd0a959b7d17696306c4ab36c4974540cada
SHA256: b34abadaa54fa828fc3d1b1540004f5dd94873918d5b3f2a3eab49272b67415b
False
c:\users\ciihmn~1\appdata\local\temp\upd7d80021e.bat 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\upd7d80021e.bat 0.20 KB (206 bytes) MD5: 8af8618d93663f6360c20339ef5a5364
SHA1: 4d591882d8ab227e1a26755190d09b6b902e5101
SHA256: 3378fe0a23cbc25838f64841aee8cc0f589bb2bc6d5b901b3bf015aea3a04dc9
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\containers.exe 296.00 KB (303104 bytes) MD5: 2bbf4515f3f42a943b2732e24fc9f19e
SHA1: ce487e80749edeccbadefa9c6fb967ca743e70bd
SHA256: af1c61d4a742b3cb4a11b2bbbdc4b6a4ae77b215ad6aa57f1d51a309f2b77f9f
False
Host Behavior
COM (1)
+
Operation Class Interface Additional Information Success Count Logfile
Create 0000031D-0000-0000-C000-000000000046 00000109-0000-0000-C000-000000000046 cls_context = CLSCTX_INPROC_SERVER True 1
Fn
File (53)
+
Operation Filename Additional Information Success Count Logfile
Create - desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ False 4
Fn
Create - desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 4
Fn
Create \??\C:\Users\CIiHmnxMn6Ps\Desktop\zeuspanda.vir.exe desired_access = FILE_READ_EA, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\popupkiller.exe share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE False 1
Fn
Create C:\stimulator.exe share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE False 1
Fn
Create C:\TOOLS\execute.exe share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE False 1
Fn
Create \\.\NPF_NdisWanIp share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE False 1
Fn
Create \\.\SICE share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE False 1
Fn
Create \\.\SIWVID share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE False 1
Fn
Create \\.\SIWDEBUG share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE False 1
Fn
Create \\.\NTICE share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE False 1
Fn
Create \\.\REGVXG share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE False 1
Fn
Create \\.\FILEVXG share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE False 1
Fn
Create \\.\REGSYS share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE False 1
Fn
Create \\.\FILEM share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE False 1
Fn
Create \\.\TRW share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE False 1
Fn
Create \\.\ICEXT share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE False 1
Fn
Create C:\Users\CIiHmnxMn6Ps\Desktop\zeuspanda.vir.exe desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\containers.exe desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create \??\C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\containers.exe desired_access = FILE_WRITE_EA, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming desired_access = GENERIC_READ, file_attributes = FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\containers.exe desired_access = FILE_WRITE_ATTRIBUTES, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys desired_access = FILE_WRITE_ATTRIBUTES, share_mode = FILE_SHARE_READ False 4
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix desired_access = FILE_WRITE_ATTRIBUTES, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\niEo_GlbFe5Pi.qef desired_access = FILE_WRITE_ATTRIBUTES, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\kinto.pyi desired_access = FILE_WRITE_ATTRIBUTES, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\upd7d80021e.bat desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 2
Fn
Create Directory - - False 3
Fn
Get Info - type = file_attributes False 3
Fn
Get Info \??\C:\Users\CIiHmnxMn6Ps\Desktop\zeuspanda.vir.exe type = extended False 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming type = file_attributes True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\Desktop\zeuspanda.vir.exe type = size, size_out = 404480 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming type = time True 1
Fn
Open STD_INPUT_HANDLE - True 1
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Read C:\Users\CIiHmnxMn6Ps\Desktop\zeuspanda.vir.exe size = 404480, size_out = 404480 True 1
Fn
Data
Write C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\containers.exe size = 404480 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\upd7d80021e.bat size = 206 True 1
Fn
Data
Registry (275)
+
Operation Key Additional Information Success Count Logfile
Create Key HKEY_CURRENT_USER\SOFTWARE\Microsoft - True 1
Fn
Create Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\VBA - True 5
Fn
Create Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\SQMClient - True 5
Fn
Create Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Speech - True 2
Fn
Create Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\WcmSvc - True 4
Fn
Create Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Narrator - True 3
Fn
Create Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\IMEMIP - True 2
Fn
Create Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Poom - True 3
Fn
Create Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\WAB - True 2
Fn
Create Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Shared - True 1
Fn
Create Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Sensors - True 2
Fn
Create Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Siuf - True 1
Fn
Create Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\wfs - True 3
Fn
Create Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad - True 2
Fn
Create Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows - True 1
Fn
Create Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Fax - True 2
Fn
Create Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\PeerNet - True 3
Fn
Create Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Unistore - True 1
Fn
Create Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Feeds - True 1
Fn
Create Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\GameBar - True 3
Fn
Create Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Pim - True 3
Fn
Create Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Osk - True 1
Fn
Create Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Wisp - True 1
Fn
Create Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\F12 - True 1
Fn
Create Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\CTF - True 1
Fn
Create Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Keyboard - True 1
Fn
Create Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ofumig - True 1
Fn
Create Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Lineo - True 1
Fn
Create Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Peet - True 1
Fn
Create Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Exchange - True 1
Fn
Create Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\MSF - True 1
Fn
Create Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Abanz - True 1
Fn
Create Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi - True 1
Fn
Open Key HKEY_CLASSES_ROOT\AppID\{10000002-0000-0000-0000-000000000001} - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion - True 2
Fn
Open Key HKEY_CURRENT_USER\Software\WINE - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\WINE - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion - True 2
Fn
Read Value HKEY_CLASSES_ROOT\AppID\{10000002-0000-0000-0000-000000000001} value_name = AccessPermission False 1
Fn
Read Value HKEY_CLASSES_ROOT\AppID\{10000002-0000-0000-0000-000000000001} value_name = AccessPermission, data = 0 False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion value_name = InstallDate, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion value_name = DigitalProductId False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion value_name = InstallDate, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion value_name = DigitalProductId False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\SOFTWARE\Microsoft - False 2
Fn
Enumerate Keys HKEY_CURRENT_USER\SOFTWARE\Microsoft - True 5
Fn
Enumerate Keys HKEY_CURRENT_USER\SOFTWARE\Microsoft - False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\SOFTWARE\Microsoft - True 5
Fn
Enumerate Keys HKEY_CURRENT_USER\SOFTWARE\Microsoft - False 2
Fn
Enumerate Keys HKEY_CURRENT_USER\SOFTWARE\Microsoft - False 3
Fn
Enumerate Keys HKEY_CURRENT_USER\SOFTWARE\Microsoft - True 2
Fn
Enumerate Keys HKEY_CURRENT_USER\SOFTWARE\Microsoft - True 4
Fn
Enumerate Keys HKEY_CURRENT_USER\SOFTWARE\Microsoft - True 3
Fn
Enumerate Keys HKEY_CURRENT_USER\SOFTWARE\Microsoft - False 3
Fn
Enumerate Keys HKEY_CURRENT_USER\SOFTWARE\Microsoft - False 3
Fn
Enumerate Keys HKEY_CURRENT_USER\SOFTWARE\Microsoft - True 2
Fn
Enumerate Keys HKEY_CURRENT_USER\SOFTWARE\Microsoft - True 3
Fn
Enumerate Keys HKEY_CURRENT_USER\SOFTWARE\Microsoft - True 2
Fn
Enumerate Keys HKEY_CURRENT_USER\SOFTWARE\Microsoft - False 2
Fn
Enumerate Keys HKEY_CURRENT_USER\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\SOFTWARE\Microsoft - True 2
Fn
Enumerate Keys HKEY_CURRENT_USER\SOFTWARE\Microsoft - False 2
Fn
Enumerate Keys HKEY_CURRENT_USER\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\SOFTWARE\Microsoft - False 2
Fn
Enumerate Keys HKEY_CURRENT_USER\SOFTWARE\Microsoft - True 3
Fn
Enumerate Keys HKEY_CURRENT_USER\SOFTWARE\Microsoft - True 2
Fn
Enumerate Keys HKEY_CURRENT_USER\SOFTWARE\Microsoft - False 2
Fn
Enumerate Keys HKEY_CURRENT_USER\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\SOFTWARE\Microsoft - True 2
Fn
Enumerate Keys HKEY_CURRENT_USER\SOFTWARE\Microsoft - False 2
Fn
Enumerate Keys HKEY_CURRENT_USER\SOFTWARE\Microsoft - False 2
Fn
Enumerate Keys HKEY_CURRENT_USER\SOFTWARE\Microsoft - False 2
Fn
Enumerate Keys HKEY_CURRENT_USER\SOFTWARE\Microsoft - True 3
Fn
Enumerate Keys HKEY_CURRENT_USER\SOFTWARE\Microsoft - False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\SOFTWARE\Microsoft - True 3
Fn
Enumerate Keys HKEY_CURRENT_USER\SOFTWARE\Microsoft - True 3
Fn
Enumerate Keys HKEY_CURRENT_USER\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\SOFTWARE\Microsoft - False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\SOFTWARE\Microsoft - False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\SOFTWARE\Microsoft - False 2
Fn
Enumerate Keys HKEY_CURRENT_USER\SOFTWARE\Microsoft - False 2
Fn
Enumerate Keys HKEY_CURRENT_USER\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\SOFTWARE\Microsoft - False 2
Fn
Enumerate Keys HKEY_CURRENT_USER\SOFTWARE\Microsoft - False 3
Fn
Enumerate Keys HKEY_CURRENT_USER\SOFTWARE\Microsoft - False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\SOFTWARE\Microsoft - False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\SOFTWARE\Microsoft - False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\SOFTWARE\Microsoft - False 1
Fn
Get Key Info HKEY_CURRENT_USER\SOFTWARE\Microsoft - True 93
Fn
Get Key Info HKEY_CURRENT_USER\SOFTWARE\Microsoft - True 1
Fn
Get Key Info HKEY_CURRENT_USER\SOFTWARE\Microsoft - True 1
Fn
Get Key Info HKEY_CURRENT_USER\SOFTWARE\Microsoft - True 4
Fn
Get Key Info HKEY_CURRENT_USER\SOFTWARE\Microsoft - True 1
Fn
Process (2)
+
Operation Process Additional Information Success Count Logfile
Create "C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\containers.exe" os_pid = 0xd34, creation_flags = CREATE_DEFAULT_ERROR_MODE, show_window = SW_HIDE True 1
Fn
Create "C:\Windows\system32\cmd.exe" /c "C:\Users\CIIHMN~1\AppData\Local\Temp\upd7d80021e.bat" os_pid = 0xd2c, creation_flags = CREATE_DEFAULT_ERROR_MODE, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE True 1
Fn
Module (53)
+
Operation Module Additional Information Success Count Logfile
Load KERNEL32.dll base_address = 0x76bc0000 True 1
Fn
Load USER32.dll base_address = 0x74500000 True 1
Fn
Load NTDLL base_address = 0x77190000 True 2
Fn
Load SSPICLI base_address = 0x742a0000 True 1
Fn
Load api-ms-win-core-com-l1-1-0 base_address = 0x76cf0000 True 1
Fn
Load psapi.dll base_address = 0x76450000 True 1
Fn
Load SbieDll.dll base_address = 0x0 False 1
Fn
Get Handle c:\windows\syswow64\kernel32.dll base_address = 0x76bc0000 True 3
Fn
Get Handle c:\windows\syswow64\ntdll.dll base_address = 0x77190000 True 4
Fn
Get Handle c:\windows\syswow64\advapi32.dll base_address = 0x75d40000 True 3
Fn
Get Handle c:\users\ciihmnxmn6ps\desktop\zeuspanda.vir.exe base_address = 0x20c80000 True 1
Fn
Get Handle c:\windows\syswow64\shlwapi.dll base_address = 0x75dc0000 True 1
Fn
Get Handle c:\windows\syswow64\secur32.dll base_address = 0x73c40000 True 1
Fn
Get Handle c:\windows\syswow64\shell32.dll base_address = 0x74760000 True 1
Fn
Get Handle c:\windows\syswow64\ole32.dll base_address = 0x74640000 True 1
Fn
Get Handle psapi.dll base_address = 0x0 False 1
Fn
Get Handle c:\windows\syswow64\user32.dll base_address = 0x74500000 True 1
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\desktop\zeuspanda.vir.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\zeuspanda.vir.exe, size = 260 True 1
Fn
Get Filename psapi.dll process_name = c:\users\ciihmnxmn6ps\desktop\zeuspanda.vir.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\zeuspanda.vir.exe, size = 260 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsAlloc, address_out = 0x76bda330 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsGetValue, address_out = 0x76bd7580 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsSetValue, address_out = 0x76bd9910 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsFree, address_out = 0x76bdf400 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = memcpy, address_out = 0x771fe7b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InterlockedExchange, address_out = 0x76bd7650 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapCreate, address_out = 0x76bd9950 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapFree, address_out = 0x76bd25e0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapReAlloc, address_out = 0x771cbae0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapAlloc, address_out = 0x771cda90 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapDestroy, address_out = 0x76bdd940 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetProcessHeap, address_out = 0x76bd7910 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InterlockedIncrement, address_out = 0x76bd7520 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleHandleA, address_out = 0x76bd9640 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = Sleep, address_out = 0x76bd77b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LoadLibraryA, address_out = 0x76bdd8d0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LoadLibraryW, address_out = 0x76bda0b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetProcAddress, address_out = 0x76bd7940 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleHandleW, address_out = 0x76bd9660 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = LoadImageW, address_out = 0x74534500 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = RtlAddVectoredExceptionHandler, address_out = 0x771ef090 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = RtlInitializeCriticalSection, address_out = 0x771e95f0 True 1
Fn
Get Address c:\windows\syswow64\sspicli.dll function = GetUserNameExW, address_out = 0x742ac5f0 True 1
Fn
Get Address c:\windows\syswow64\combase.dll function = CLSIDFromString, address_out = 0x76da1390 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = wine_get_unix_file_name, address_out = 0x0 False 1
Fn
Window (1)
+
Operation Window Name Additional Information Success Count Logfile
Create - class_name = static, wndproc_parameter = 0 True 1
Fn
Keyboard (2)
+
Operation Additional Information Success Count Logfile
Get Info type = KB_LOCALE_ID True 2
Fn
System (98)
+
Operation Additional Information Success Count Logfile
Get Computer Name result_out = LHNIWSJ True 34
Fn
Sleep duration = 0 milliseconds (0.000 seconds) True 46
Fn
Sleep duration = -1 (infinite) True 1
Fn
Get Time type = System Time, time = 2017-11-30 14:35:33 (UTC) True 1
Fn
Get Time type = Local Time, time = 2017-12-01 01:35:34 (Local Time) True 4
Fn
Get Time type = System Time, time = 2017-11-30 14:35:34 (UTC) True 4
Fn
Get Time type = System Time, time = 2017-11-30 14:35:35 (UTC) True 4
Fn
Get Info type = Operating System False 4
Fn
Mutex (13)
+
Operation Additional Information Success Count Logfile
Create mutex_name = 8C5FF35F44C67C34381EFF128FE58575 True 1
Fn
Create mutex_name = BA375714EF21E8EC8F43FB71FA3700CC True 1
Fn
Create mutex_name = Sandboxie_SingleInstanceMutex_Control True 1
Fn
Create mutex_name = Frz_State True 1
Fn
Create mutex_name = 4F35AC27449784784508471CC1E930C7 True 1
Fn
Create mutex_name = BA375714EF21E8EC8F43FB71FA3700CC True 2
Fn
Open mutex_name = ACD86ED691154353041C7827C4241C0D, desired_access = SYNCHRONIZE False 1
Fn
Release mutex_name = 8C5FF35F44C67C34381EFF128FE58575 True 1
Fn
Release mutex_name = BA375714EF21E8EC8F43FB71FA3700CC True 1
Fn
Release mutex_name = BA375714EF21E8EC8F43FB71FA3700CC True 2
Fn
Release mutex_name = 4F35AC27449784784508471CC1E930C7 True 1
Fn
Environment (2)
+
Operation Additional Information Success Count Logfile
Get Environment String - True 1
Fn
Data
Get Environment String name = ComSpec, result_out = C:\Windows\system32\cmd.exe True 1
Fn
Process #2: containers.exe
(Host: 252, Network: 0)
+
Information Value
ID #2
File Name c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\containers.exe
Command Line "C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\containers.exe"
Initial Working Directory C:\Users\CIiHmnxMn6Ps\AppData\Roaming\
Monitor Start Time: 00:00:39, Reason: Child Process
Unmonitor End Time: 00:15:27, Reason: Terminated by Timeout
Monitor Duration 00:14:48
OS Process Information
+
Information Value
PID 0xd34
Parent PID 0xfc0 (c:\users\ciihmnxmn6ps\desktop\zeuspanda.vir.exe)
Is Created or Modified Executable True
Integrity Level High (Elevated)
Username LHNIWSJ\CIiHmnxMn6Ps
Groups
  • LHNIWSJ\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Local account and member of Administrators group (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • BUILTIN\Administrators (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, OWNER)
  • BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Local account (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Logon Session 00000000:00013d92 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID)
  • LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x D30
0x D20
0x D28
0x 70C
0x 2C0
Region
+
Name Start VA End VA Type Permissions Monitored Dump YARA Match Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True True False
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False
private_0x0000000000020000 0x00020000 0x00023fff Private Memory Readable, Writable True True False
private_0x0000000000030000 0x00030000 0x00031fff Private Memory Readable, Writable True True False
private_0x0000000000030000 0x00030000 0x00030fff Private Memory Readable, Writable True True False
pagefile_0x0000000000040000 0x00040000 0x00053fff Pagefile Backed Memory Readable True False False
private_0x0000000000060000 0x00060000 0x0009ffff Private Memory Readable, Writable True True False
private_0x00000000000a0000 0x000a0000 0x0019ffff Private Memory Readable, Writable True True False
pagefile_0x00000000001a0000 0x001a0000 0x001a3fff Pagefile Backed Memory Readable True False False
pagefile_0x00000000001b0000 0x001b0000 0x001b0fff Pagefile Backed Memory Readable True False False
private_0x00000000001c0000 0x001c0000 0x001c1fff Private Memory Readable, Writable True True False
private_0x00000000001d0000 0x001d0000 0x0020ffff Private Memory Readable, Writable True True False
private_0x0000000000210000 0x00210000 0x00210fff Private Memory Readable, Writable True True False
private_0x0000000000220000 0x00220000 0x0022ffff Private Memory Readable, Writable True True False
pagefile_0x0000000000230000 0x00230000 0x00230fff Pagefile Backed Memory Readable, Writable True False False
private_0x0000000000240000 0x00240000 0x00246fff Private Memory Readable, Writable True True False
private_0x0000000000250000 0x00250000 0x0025ffff Private Memory Readable, Writable True True False
private_0x0000000000260000 0x00260000 0x0035ffff Private Memory Readable, Writable True True False
locale.nls 0x00360000 0x0041dfff Memory Mapped File Readable False False False
private_0x0000000000420000 0x00420000 0x0051ffff Private Memory Readable, Writable True True False
pagefile_0x0000000000520000 0x00520000 0x006a7fff Pagefile Backed Memory Readable True False False
pagefile_0x00000000006b0000 0x006b0000 0x00830fff Pagefile Backed Memory Readable True False False
c_1256.nls 0x00840000 0x00850fff Memory Mapped File Readable False False False
c_1251.nls 0x00860000 0x00870fff Memory Mapped File Readable False False False
private_0x0000000000880000 0x00880000 0x0088ffff Private Memory Readable, Writable True True False
pagefile_0x0000000000890000 0x00890000 0x01c8ffff Pagefile Backed Memory Readable True False False
private_0x0000000001c90000 0x01c90000 0x01d17fff Private Memory Readable, Writable, Executable True True False
c_1254.nls 0x01d20000 0x01d30fff Memory Mapped File Readable False False False
private_0x0000000001d40000 0x01d40000 0x01d4ffff Private Memory Readable, Writable True True False
c_1250.nls 0x01d50000 0x01d60fff Memory Mapped File Readable False False False
c_1253.nls 0x01d70000 0x01d80fff Memory Mapped File Readable False False False
c_1257.nls 0x01d90000 0x01da0fff Memory Mapped File Readable False False False
c_1255.nls 0x01db0000 0x01dc0fff Memory Mapped File Readable False False False
private_0x0000000001dd0000 0x01dd0000 0x01dd3fff Private Memory Readable, Writable True True False
private_0x0000000001de0000 0x01de0000 0x01deffff Private Memory Readable, Writable True True False
pagefile_0x0000000001df0000 0x01df0000 0x022e1fff Pagefile Backed Memory Readable, Writable True False False
sortdefault.nls 0x022f0000 0x02626fff Memory Mapped File Readable False False False
private_0x0000000002630000 0x02630000 0x0272ffff Private Memory Readable, Writable True True False
private_0x0000000002730000 0x02730000 0x0292ffff Private Memory Readable, Writable True True False
private_0x0000000002930000 0x02930000 0x02d2ffff Private Memory Readable, Writable True True False
private_0x0000000002d30000 0x02d30000 0x0352ffff Private Memory Readable, Writable True True False
private_0x0000000003530000 0x03530000 0x0362ffff Private Memory Readable, Writable True True False
private_0x0000000003630000 0x03630000 0x045fffff Private Memory Readable, Writable True False False
kernelbase.dll.mui 0x04600000 0x046defff Memory Mapped File Readable False False False
c_932.nls 0x046e0000 0x04707fff Memory Mapped File Readable False False False
c_949.nls 0x04710000 0x04740fff Memory Mapped File Readable False False False
c_874.nls 0x04750000 0x04760fff Memory Mapped File Readable False False False
c_1258.nls 0x04770000 0x04780fff Memory Mapped File Readable False False False
c_936.nls 0x04790000 0x047c0fff Memory Mapped File Readable False False False
c_950.nls 0x047d0000 0x04800fff Memory Mapped File Readable False False False
pagefile_0x0000000004810000 0x04810000 0x04c0ffff Pagefile Backed Memory Readable, Writable True False False
private_0x0000000004810000 0x04810000 0x0481ffff Private Memory Readable, Writable True True False
private_0x0000000004810000 0x04810000 0x04825fff Private Memory Readable, Writable True True False
pagefile_0x0000000004810000 0x04810000 0x04818fff Pagefile Backed Memory Readable, Writable True False False
private_0x0000000004810000 0x04810000 0x0488ffff Private Memory Readable, Writable True True False
pagefile_0x0000000004830000 0x04830000 0x04838fff Pagefile Backed Memory Readable, Writable True False False
pagefile_0x0000000004890000 0x04890000 0x04890fff Pagefile Backed Memory Readable True False False
pagefile_0x00000000048a0000 0x048a0000 0x048a0fff Pagefile Backed Memory Readable True False False
private_0x00000000048b0000 0x048b0000 0x048b0fff Private Memory Readable, Writable, Executable True True False
private_0x00000000048b0000 0x048b0000 0x048b3fff Private Memory Readable, Writable True True False
private_0x00000000048c0000 0x048c0000 0x048c0fff Private Memory Readable, Writable True True False
private_0x0000000004a60000 0x04a60000 0x04aeffff Private Memory Readable, Writable True True False
containers.exe 0x20c80000 0x20ce8fff Memory Mapped File Readable, Writable, Executable True True False
wow64cpu.dll 0x5c9f0000 0x5c9f7fff Memory Mapped File Readable, Writable, Executable False False False
wow64win.dll 0x5ca00000 0x5ca72fff Memory Mapped File Readable, Writable, Executable False False False
wow64.dll 0x5ca80000 0x5cacefff Memory Mapped File Readable, Writable, Executable False False False
ntmarta.dll 0x731f0000 0x73217fff Memory Mapped File Readable, Writable, Executable False False False
samlib.dll 0x73220000 0x73232fff Memory Mapped File Readable, Writable, Executable False False False
samcli.dll 0x73240000 0x73253fff Memory Mapped File Readable, Writable, Executable False False False
netutils.dll 0x73260000 0x73269fff Memory Mapped File Readable, Writable, Executable False False False
winnsi.dll 0x73270000 0x73277fff Memory Mapped File Readable, Writable, Executable False False False
srvcli.dll 0x73280000 0x7329bfff Memory Mapped File Readable, Writable, Executable False False False
wkscli.dll 0x732a0000 0x732affff Memory Mapped File Readable, Writable, Executable False False False
comctl32.dll 0x732b0000 0x73341fff Memory Mapped File Readable, Writable, Executable False False False
iphlpapi.dll 0x73350000 0x7337ffff Memory Mapped File Readable, Writable, Executable False False False
netapi32.dll 0x73380000 0x73392fff Memory Mapped File Readable, Writable, Executable False False False
rsaenh.dll 0x733b0000 0x733defff Memory Mapped File Readable, Writable, Executable False False False
cryptsp.dll 0x733e0000 0x733f2fff Memory Mapped File Readable, Writable, Executable False False False
uxtheme.dll 0x73430000 0x734a4fff Memory Mapped File Readable, Writable, Executable False False False
apphelp.dll 0x734b0000 0x73540fff Memory Mapped File Readable, Writable, Executable False False False
bcrypt.dll 0x73550000 0x7356afff Memory Mapped File Readable, Writable, Executable False False False
winspool.drv 0x73840000 0x738a6fff Memory Mapped File Readable, Writable, Executable False False False
secur32.dll 0x73c40000 0x73c49fff Memory Mapped File Readable, Writable, Executable False False False
bcryptprimitives.dll 0x74230000 0x74288fff Memory Mapped File Readable, Writable, Executable False False False
cryptbase.dll 0x74290000 0x74299fff Memory Mapped File Readable, Writable, Executable False False False
sspicli.dll 0x742a0000 0x742bdfff Memory Mapped File Readable, Writable, Executable False False False
clbcatq.dll 0x742c0000 0x74341fff Memory Mapped File Readable, Writable, Executable False False False
user32.dll 0x74500000 0x7463ffff Memory Mapped File Readable, Writable, Executable False False False
ole32.dll 0x74640000 0x74729fff Memory Mapped File Readable, Writable, Executable False False False
imm32.dll 0x74730000 0x7475afff Memory Mapped File Readable, Writable, Executable False False False
shell32.dll 0x74760000 0x75b1efff Memory Mapped File Readable, Writable, Executable False False False
msvcrt.dll 0x75b80000 0x75c3dfff Memory Mapped File Readable, Writable, Executable False False False
powrprof.dll 0x75c40000 0x75c83fff Memory Mapped File Readable, Writable, Executable False False False
advapi32.dll 0x75d40000 0x75dbafff Memory Mapped File Readable, Writable, Executable False False False
shlwapi.dll 0x75dc0000 0x75e03fff Memory Mapped File Readable, Writable, Executable False False False
coml2.dll 0x75e10000 0x75e67fff Memory Mapped File Readable, Writable, Executable False False False
rpcrt4.dll 0x75e70000 0x75f1bfff Memory Mapped File Readable, Writable, Executable False False False
kernelbase.dll 0x75f20000 0x76095fff Memory Mapped File Readable, Writable, Executable False False False
sechost.dll 0x760a0000 0x760e2fff Memory Mapped File Readable, Writable, Executable False False False
shcore.dll 0x76280000 0x7630cfff Memory Mapped File Readable, Writable, Executable False False False
oleaut32.dll 0x763b0000 0x76441fff Memory Mapped File Readable, Writable, Executable False False False
psapi.dll 0x76450000 0x76455fff Memory Mapped File Readable, Writable, Executable False False False
windows.storage.dll 0x764d0000 0x769acfff Memory Mapped File Readable, Writable, Executable False False False
gdi32.dll 0x769b0000 0x76afcfff Memory Mapped File Readable, Writable, Executable False False False
comdlg32.dll 0x76b00000 0x76bbdfff Memory Mapped File Readable, Writable, Executable False False False
kernel32.dll 0x76bc0000 0x76caffff Memory Mapped File Readable, Writable, Executable False False False
combase.dll 0x76cf0000 0x76ea9fff Memory Mapped File Readable, Writable, Executable False False False
kernel.appcore.dll 0x76eb0000 0x76ebbfff Memory Mapped File Readable, Writable, Executable False False False
nsi.dll 0x77040000 0x77046fff Memory Mapped File Readable, Writable, Executable False False False
profapi.dll 0x77050000 0x7705efff Memory Mapped File Readable, Writable, Executable False False False
msctf.dll 0x77070000 0x7718ffff Memory Mapped File Readable, Writable, Executable False False False
ntdll.dll 0x77190000 0x77308fff Memory Mapped File Readable, Writable, Executable False False False
pagefile_0x000000007feb0000 0x7feb0000 0x7ffaffff Pagefile Backed Memory Readable True False False
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory Readable True False False
private_0x000000007ffd8000 0x7ffd8000 0x7ffdafff Private Memory Readable, Writable True True False
private_0x000000007ffdb000 0x7ffdb000 0x7ffddfff Private Memory Readable, Writable True True False
private_0x000000007ffde000 0x7ffde000 0x7ffdefff Private Memory Readable, Writable True True False
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory Readable, Writable True True False
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True True False
private_0x000000007fff0000 0x7fff0000 0x7ffb3d30ffff Private Memory Readable True False False
ntdll.dll 0x7ffb3d310000 0x7ffb3d4d1fff Memory Mapped File Readable, Writable, Executable False False False
private_0x00007ffb3d4d2000 0x7ffb3d4d2000 0x7ffffffeffff Private Memory Readable True False False
Modified Files
+
Filename File Size Hash Values YARA Match Actions
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 0.25 KB (261 bytes) MD5: 51b6060100f780fce4687b38c704d5ce
SHA1: 042c3d3f4b86f9f96e68920c0b901283bd970e74
SHA256: 03740e5e8bdabe598aa134e8ddbc357e579862958521e3d29e6b132c2c1c141d
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 0.51 KB (521 bytes) MD5: 1a275f9e63c860ef608a51a5a3527307
SHA1: c9b3c104370936d1e60d676a90c7e84a35a82b24
SHA256: 93076500f8ab254623272097c4c606fa1e6de92c2ba8cc8740864850ca5864ce
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 1.06 KB (1088 bytes) MD5: 948fe2a5c930b6d9504679078f445a66
SHA1: 5e4c7f692158a2b85f2cf38a24989012b040c102
SHA256: f7a66a9161b11249f4020df4ebfdd02ee989395e92577e8903425e0a87c16f06
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 1.34 KB (1370 bytes) MD5: b67ead1d72ba6a82978412b41ae0b19c
SHA1: dc9545e9632244d1e73aa2e66c9127e41107fe16
SHA256: bd7484200703ebc39ac41862d1dfc800c2747ba2f2c56556c18e073a38e8866e
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 1.55 KB (1587 bytes) MD5: c8d692d45464cec7ac72a410014618a1
SHA1: 86337fe9402384748c740602d8f5b196da4f42fc
SHA256: c38850622b4e8f39f63f32a390f9c6ae6dbd995f97f915010feb352d9ac315f5
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 0.25 KB (254 bytes) MD5: 49747746e04d96ab1c4af1a3226a55ee
SHA1: 36dc5b141b172b2713a9066a7cda901d52e602be
SHA256: 62e8fef6ef9b4ab3643edc4c98d44ed12f977498c3a775780e020314ada02054
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 0.49 KB (503 bytes) MD5: ecddd67cc1bb94b684d4bb7116c7c4d4
SHA1: e4789ae1ef0db80c39de1cd932169610d7a1bca0
SHA256: dc2860ef55a5c6ebe873ae1dbe5170c0980caa038c428fbc8852ecc03c991104
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 0.72 KB (734 bytes) MD5: 11f304d86594e21db142e4d5477062c9
SHA1: 3c7f01ede74be6544ec703d59b14c172d1bbdc6c
SHA256: 14657a3e73f8e5e77ad0e5cf7627765fbbd1ea30b82cf2cd51bb681d05065a95
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 0.96 KB (983 bytes) MD5: 5be86a9a54bb683c5dd22e6ccd6e8129
SHA1: 2553416e93dcb6d1cca9762ac757c72c2ff0ead4
SHA256: fd4a1be1fa728d58a611eccfa621d1861511dd308147af1d7852050a9822225d
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 1.19 KB (1214 bytes) MD5: 5d3538851bd0ecca9846381671ae62c7
SHA1: 9cd12936f4234d55fc8d47e3e5c2e7fb8a4ef9f0
SHA256: 95edcf90f9002af85a5a820903fb56248b5ce95709a66df6b443823b1a933b12
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 1.43 KB (1461 bytes) MD5: 2ce03089882c124fc7e93e69e967a465
SHA1: 0ad1882034ced37f2e9b1dd5b9ec891b33a406b7
SHA256: 8ceb88a73a20dd2a8fc1d98e55e4e18fbb627f347b000ebe2940f886eb2c88e7
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 1.69 KB (1734 bytes) MD5: b701d42ccbf8f6bfa08728e994325c11
SHA1: 87da3c9bcd2b15c9e9be7f50af6b0d803328175e
SHA256: fb6015ef2fe52d690b51ac76e5b78900a7946c02479e2f7c8cb692192a2fd56e
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 1.92 KB (1965 bytes) MD5: 6be161c2953cae565b22a07e201f8726
SHA1: 9c5b9455744dcdc3d950afeab16eedb5d20baf25
SHA256: a4d02adcbe9f8b2bafe87f7c1c96cf5156b3449eff825079c92a187e1a9978e8
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 2.16 KB (2213 bytes) MD5: bfbc0cdfb9d6f21a9fa39a14d8e96bc0
SHA1: 9265f255415543b449a4d4b8cc57574067a0e121
SHA256: ce2e61a5890c0d208981dec87ad662f7c40bde22ceac84c445cc509716c350dc
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 2.71 KB (2780 bytes) MD5: 999ad5e81467737e11970863123091ca
SHA1: 92cb1de3bc8d9a70180f2bfa965373e7fc3302f8
SHA256: ed61788db9b00ea79918b068bef79c0af244a5dd6ddab7c692eb0361becd8622
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 2.94 KB (3011 bytes) MD5: 54b20d7537b460847a75649fb0142a27
SHA1: 3ab9fbee5b9e8bdd1d45238c4d6415ce68a82c90
SHA256: c1f1310bf8192b9760b04ac129ada80c4d8febfe9062f8a1bebb60ec65bf7045
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 3.18 KB (3259 bytes) MD5: 3a2e7422dc29c5bfcba2bf3e33906bfc
SHA1: 6bbdbf576600499933171f533b527ef589cfa3e2
SHA256: 6c6b1751aea374e804aecdd3543826ce73aaf785124f74fdbf26b90d2546af46
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 3.41 KB (3490 bytes) MD5: a1592dfa53f9c764309db9727edea7ca
SHA1: 7517c6396f46a4f0f6239954c5e5fbc305bcd9ca
SHA256: ddeceb8cddc56e5d5207a53d3be2c7756d3418be353fd959fc0f4b48c2ff1eab
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 3.65 KB (3738 bytes) MD5: 53b08ad589b28aac3a88f3c35ce38c39
SHA1: 5305e9b775a99d2021bb21fab6f88453feff1699
SHA256: 9b0ea3d5aebbec0c1c59cfdb881d3dfd126a42f435b013bfd4de9de3a9d864d3
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 3.88 KB (3969 bytes) MD5: 2c1a3d36b842dbc532141e89b7c626d5
SHA1: dfef1e8145ebda70f9cc7a95684ac141dc5c9b1b
SHA256: ececa735534ec922d178ed1bde6272662138867456807e72a6fb6bbebcb82c37
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 4.12 KB (4218 bytes) MD5: 864e411b102ddac6e0df717316a0eaf1
SHA1: 06735b9799bd44b1b36211569751cb20ff98e88a
SHA256: d5f8c0393c9b2516121ff25157de89d76d0a6ee0e66df30bdd4068f53ef03bb9
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 4.34 KB (4449 bytes) MD5: e43cbda4b6350cb4e7f415e3d3ea5506
SHA1: 00729b2a545320e3c3a6aa2b307931bc9f2e9372
SHA256: db5a979a33461d2323fc0f63154071fdf3d12599ea01bb9f48e337b40ad530a1
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 4.55 KB (4663 bytes) MD5: c04415bfd79968e902df855136a9d018
SHA1: e8004c53ed2e92805439f503dc1c53356bdc2e14
SHA256: c2ad3b5608da3de3a47e6fcb12ba56ec1842afbdc82c63c7d202d94f3a775f81
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 4.83 KB (4943 bytes) MD5: fe927ca9fbc42f662033aa5c643d2bf3
SHA1: cd85ad97c06d7c65c800cf8f47f567dd6d4574c9
SHA256: 1f5f4564ebbb8e12991bb510fa3f97a433ea78cb1ee1ce515971aa1f3190cfb8
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 5.09 KB (5210 bytes) MD5: ac35a77e5f471e14598cca890297ba16
SHA1: 95ebdccb609b0d33306da88224d346ee5be88b7f
SHA256: aa0cd4e444571a2d10591893338fc5cab75c4ddc762b00c024f6c5dcce4fc66d
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 5.31 KB (5435 bytes) MD5: 1385bb15ef5cca5c422d7d61c347ad5e
SHA1: 73955aa3ae5a94ee80d09d0f4613683689b726a6
SHA256: 95e2d27d5e772befcc7b611d7b808cbe46589134040e988a6a7347c1d089e567
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 5.55 KB (5688 bytes) MD5: 8b3bfce1c16eb6566c2bbc0ed737e116
SHA1: 691b0ec29bd493152b5b1639d8f60d89634eb10f
SHA256: 69974b9832c0ea7404157c42f1e574bf38195e2dae84054675da2e48ce42a5a1
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 5.78 KB (5921 bytes) MD5: dfb2bf20712433200a0f34e89bfd1f8f
SHA1: b0309b2e99c4cacb66067c3aea3030a5db4b410f
SHA256: f9854d06c855c0952576fbb6ec99e620c83aff8d29c4f6f0d8a951629df831d5
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 6.04 KB (6181 bytes) MD5: 1982212cfa01f20061a76a24946aed06
SHA1: 119044373b3116f33c0aad617457ad3468dfc9b5
SHA256: c90ae99ea1f2aff36442e10f37fd34659f44c5af1812619a234b42e8469f062e
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 6.29 KB (6441 bytes) MD5: 2fa430402ff82bbcd87c761c904aa8c1
SHA1: 4a42bab79bfcc7893695048c3466d3283ed13d5f
SHA256: 10a5bda3b3bf4ae81795228c425c0f943688254021757a2aed75917d107425b7
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 6.84 KB (7008 bytes) MD5: 3e9f4dd5161fccfa15a1f3f04ac252b1
SHA1: b1f15b0caca81aad6a9a6d923bc7854c45d2510e
SHA256: 911c87d7b39d72b455bc96d145e8b59860473c95f119cf374527678489a1c31b
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 7.12 KB (7290 bytes) MD5: 37662643f607ec29fa5ce2ec030368b7
SHA1: 1cd8ec22ca372961ba9c136d97b9860a592284da
SHA256: 4b31703b7fb7e1210ff47e78f4a9aaedb1fa0691aa79b8f027904c609aad48fa
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 7.35 KB (7530 bytes) MD5: b3d656149a3a368dda644aef62d7d833
SHA1: 79b7d2f2009e3d262c819aa53a3cc7d4bd49d438
SHA256: 86898ed575082485010666ba1381f8063f941e8261f04801a84b3ab7d82d40b4
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 7.91 KB (8097 bytes) MD5: 29f217ef55494025752782daf9fc6632
SHA1: 11dce1c5f2eadd282343f6e8d9f277299fedac65
SHA256: 6d918e52d15cc2e55603b6518a0de58b884fcf025c07a08ca541e2bfa46e9d9d
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 8.15 KB (8350 bytes) MD5: b615d164742b6ad031d2dc42da2c5f7b
SHA1: 03b504c68552d8c9388a93ec23c52179c9840df6
SHA256: 0d4c1176349e0a361d620d921daa66b5eb64162800c58da2f1fbb9a66d664b19
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 8.42 KB (8623 bytes) MD5: 752c8cbfd672ce82e360c94525a7347e
SHA1: f76db3f323b9dc2e163e822a814bb03859e14aa9
SHA256: 136083471ad4c48610a5c1e83153fb49ed79600f821d3209178fbccdbb8dfeef
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 8.69 KB (8896 bytes) MD5: 2e2bf76537833d84beef91ecd1d48e17
SHA1: 1de98b46afe330a05084d4538f65297781905da1
SHA256: 4cc507d91ce1d63f640a4f1100e894cd57750c92b92d5d6788f6809917cdd84d
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 8.95 KB (9169 bytes) MD5: 473efc736b09a566092bf99653f05d2a
SHA1: 5b28e1d264659bf9f92ce9a90ab12684e2422ad1
SHA256: e9c9ac9772830aa1966cd4d298b9fb4fac604f95c9a3802bfba272fe68f62e35
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 9.16 KB (9383 bytes) MD5: abf99640d36285ef7e8049c771408e93
SHA1: 9e2cb742a7b744a12da894b56d894bf71ce6b26a
SHA256: a855eccfc5f55dd134cb2b5edae3d0bdf48a45ae3a9049b460c2fdc665ba19ba
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 9.44 KB (9663 bytes) MD5: 41dac4e0c067e6ca3d648e9acc387627
SHA1: 018cd17aff1667a6d22587c4506269fdc03ef503
SHA256: cd1e4a09f4862bf13827da7f93c6c00228c468a647fa4a89ff9c55007fcda138
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 9.70 KB (9930 bytes) MD5: ec98f141b54c6ff63de52791893d9c27
SHA1: 27613a6bf3727cb03a4f1dbbb2e6a775acca90ef
SHA256: 2be661be6833a8f59f4e5b264bcf1de755ef54250515dc03083f85887acbc17a
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 10.01 KB (10255 bytes) MD5: 0f9f674a0fa9515a5a4f67bcde4d0a0a
SHA1: fe85e045b59f07f85669bd46d63f660620761b2e
SHA256: df3d3a0ed7fc2ace8bfbca69645108d9d517cf701bb56c371120497b69a9bf5b
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 10.28 KB (10530 bytes) MD5: 4cfbf93467a5a7a77b097bedfc117235
SHA1: 79044e5abd1885e2dfc5851f03254f67af12a8c3
SHA256: 4d01e326b22bc3a40735af6f23be57d5919cc5d1c2fc94894087c8fddea1300b
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 10.53 KB (10779 bytes) MD5: d52e836e928be5e360d4b78dc6207d87
SHA1: a9a0fedc4bee162254d518756886702b0e5f697c
SHA256: 6fce4fd55701c36c02318fb9e378eb067703ee05ab8cf130efc8cfdded59644f
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 10.78 KB (11042 bytes) MD5: 27556dfc48e76285833d8a04efa15ec6
SHA1: b43b66bfc978fb212cf13e7ec5992eb43178c0c3
SHA256: 132ea79a4f8e7211d115b4fc0a75a810c078b6c3a7ffaea734ff17b826e160d5
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 11.00 KB (11267 bytes) MD5: 3939683e91dafdbc8e732437daf6f42e
SHA1: 869985d5f2213414cbab7c8bce75dba757e5a354
SHA256: 0b2fdc46d17fcb3c9743ddc50ac08977715d2df0f8d550d1f2c33c6256535c47
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 11.61 KB (11887 bytes) MD5: 31bee244631bc1a3227d34885c6f8616
SHA1: 9f424e2b0159a7fbcb0aee21326744706ff59991
SHA256: 60e2bb749b7447bc7113f8d25b4a966eeaf4599b0c17914b889c4d2b58331f00
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 11.88 KB (12168 bytes) MD5: 7fcd6ef51678c5ae53e9d347e0f8f85c
SHA1: abf5e40323ce1404a0859386a168c70f2dffbc04
SHA256: 8d071f88de460c436516464cc897546b285fdc7992c5802a64f35c6e7b3e0035
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 12.13 KB (12417 bytes) MD5: 4a51932fcb2e4813035dec9f2eb79901
SHA1: d0bb19405c668ed997d5577332150a34ff3f295c
SHA256: 1ddfd0d8f2f06baf655d9fc8ce2aa9c4e9e88b05e9e9190a84784760c139c7a2
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 12.38 KB (12680 bytes) MD5: eebc5d7055bbf07f9f7d36d387c0a3eb
SHA1: 824026bd93be680e3363be0affafcdbde3a01870
SHA256: b1742de8db4a613bf95d18253c60c73de8482068e981ce6553454a180e2b16e8
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 12.66 KB (12961 bytes) MD5: 0281ff2858afd8d48312017c7d7d314e
SHA1: 8241f61be50bb183ce90452f02d5982ea584f23c
SHA256: 8267d834dbc661a80a34424ec1701e49ad7b6851b8585fa5ea19f419cb59874d
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 12.90 KB (13208 bytes) MD5: 2e6e202eb574878402d5cf5af694c084
SHA1: e7ee043118ba80e8eb8dcaf2a55e38d397468a44
SHA256: 4683f1ecee37a999efcb39307e1dbae4d0aa389ba2d6d6f1496098fc47c3bdd7
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 13.15 KB (13467 bytes) MD5: 325a9f04d866111efa0c4c055d2520a4
SHA1: 002afe77b885b5e853f1df3b401f973cebc46f45
SHA256: ce32dcbb01c72579378d45d3969447faf69340cc4bf71840072a5d655ebeca43
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 13.42 KB (13746 bytes) MD5: 79137110fa26ef93519c5f5fc06d6878
SHA1: 0bd87ef5b998cdc9d49ae2b520dbdfe2f0377b03
SHA256: 579ef5d991f11c40ee8f3a53b490264e68534b8ebb7730492d13463da74c96c3
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 13.66 KB (13987 bytes) MD5: 50e4e3bd81a5a4c76edc7a06872f8910
SHA1: 4df43ea7c52bdb2d8d353f863fb8182f5cc7502c
SHA256: 0a530677589bc902a22292befb4fc81d5cf4c1cd1d470a0ea29c6e28212e0b1a
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 13.88 KB (14217 bytes) MD5: 6ad3a7538b8a7b4760beb75c29cc549e
SHA1: 6bce6136b2e7583a73a6729ea55e8a357c5109b9
SHA256: dcc29c6c645904bf50cc3269e20dd52d2c7264c02fd4abaf3bf45ff90d735282
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 0.27 KB (274 bytes) MD5: 82149ea6f13efb05a7a857c9524206c0
SHA1: 8b5504f473005bfeeb6a4621931f45a594e39f99
SHA256: 1b5b293b8bb69969b5edd1fae5cc1e9e253de799b943eb0d996c7b0d80855561
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 0.51 KB (522 bytes) MD5: 890881188a68d4d79d2b84eb9562faa0
SHA1: db21f887c9eeb6a231eea8c01e24980e272ee401
SHA256: 3eee1f1cee768e487aa015ba44aa4819a35d57b824818640737c310ba706ac8b
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 0.76 KB (779 bytes) MD5: c296662b42e3b5ee7be6dd9af55885f2
SHA1: c09f6e6e75acea7e909f23558c261c870516feb9
SHA256: 2eb22f9abd8970fd5979d3c838791d3b0407103fee2fdb0fb175e169e98e3a92
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 1.01 KB (1032 bytes) MD5: a899a735ca54806f0e2e5370d06f0c98
SHA1: eb594bca29702261f94ef2c47e448e6c8a08dc1d
SHA256: 63e9c849264425991071fbf13afc2181e22771a2e29f756df6538971519c51f0
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 1.25 KB (1280 bytes) MD5: ed450d8bb34ac18f53f98d9659e2257b
SHA1: e5fa0cd8ca4a010db979ae851a11d0edd4bd7b35
SHA256: a2ec6f8c3c15d6f2bcc9372bb88d84f28f86a8dac873c7c40bd8dc8866d4d5a8
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 1.50 KB (1537 bytes) MD5: 51c39c010e918623bd866a52ec6da38d
SHA1: 76c65a07447bc7d8cc4b25edb2f02f4abd738e61
SHA256: 21b071de60d5e782dfd9081187bc6848e35cdf05f4999e11bad6e1b71f9c9351
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 1.74 KB (1785 bytes) MD5: 43e3953ffdba1797aa3877c1517025b1
SHA1: 9620b6c79f3ad5b68b1a3c2671c961fddee74e8a
SHA256: 660fff60517b529b21b47b646664ab4746a4fdfeb1fc89cf87d00ee2a35700b9
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 2.00 KB (2046 bytes) MD5: f4350400ebc42cb6e8813c050ae7d516
SHA1: 2000f96970f9446a9206380384b9f5bb52c55d28
SHA256: 4259bf9b98280f07443819d7f30955ecf77c1bf2a8a1f67377340eef43d25e8e
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 2.24 KB (2295 bytes) MD5: ee07d6bf78d0be81801a915adcc02ca1
SHA1: c9971de09999df184fc368a619d73b1f3d58885c
SHA256: 22a8c2ecadebbe79e961a81bdf68957ff97d072d2b1f1e6c627f0d3b77c2d4f9
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 2.50 KB (2556 bytes) MD5: 63e81763e02bc00b58e52da6fc887a92
SHA1: 4e2eafcba532d8dada6a7c38773fce2ab3c81d82
SHA256: 4673b9dfe20e4c590f94207874ad592cdace907d55c612e766a96fb1e84a3042
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 2.75 KB (2816 bytes) MD5: e83c51b820041ef443e51d98e3f612be
SHA1: 53737ac895fd42e4987108c721c87e207f357b25
SHA256: bcf3c5be012c9aacfa9a37b3d06338fdaf32d2de3a4ace62cf9320e90caa172e
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 3.00 KB (3076 bytes) MD5: 3b12a168701971a21c9b571035c6a0f8
SHA1: 0da0f43065298e392749160f2ff40fdbe445124d
SHA256: 34ac8810b8abf4f8805071b5ecbfbde681e37a7962057d411c11cc596cb5dca6
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 3.56 KB (3643 bytes) MD5: 2739399741830726c012701bd52b7ccc
SHA1: 656c296562760815019ee973b7dd5378d8d6abc1
SHA256: f9c77921a460cc9b94a7491362527d1427b26823ed48158b631bc57ed33f652f
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 3.83 KB (3925 bytes) MD5: 27f6f2152d9eb2234694e0877422ccb6
SHA1: 0c861dc9db067c65e05f7f48fc677bc07966db22
SHA256: 5adb193561f442021455ec68521dafe9af71d2fd93fb1ee228eb4e97a30ab54c
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 4.10 KB (4197 bytes) MD5: 77f0193e8f6be3517577f1e1eda545be
SHA1: 555b8e0d22e10e617564bf02fd3b7c3e82a8748f
SHA256: 2a8ae96bde02e0862c3bae8bb8489d3f480e3eba6c9b24ca64ed106ce09c96b5
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 0.27 KB (274 bytes) MD5: b63bc739a27f74eb3fe9e276a366f896
SHA1: 3794137cdbe99f62b0097d737b5295e69a4193b9
SHA256: c653223195eeb21f55d4f1f004257fd43feb289a54ca10fbcaae382a87f89bb2
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 0.53 KB (547 bytes) MD5: 65c927cde4ddcff695818c5915114a3b
SHA1: d8b8f52e1cc755458d71d67e6d6460a78ae5a6cd
SHA256: 9c5193f63248af045b9014b75ea5379eed0159b919c639c7aa3dd5f4d01ec0f4
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 0.78 KB (800 bytes) MD5: aaeb7e4309d99bb808405b4e2cb7dc6d
SHA1: 90fe10c790a5b55fdc7ea16301cb19f662441d52
SHA256: b06b37d2eabbd600a8c21a8fa8a05e61dc53b392048d2a4e67faefad02f65a13
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 1.33 KB (1367 bytes) MD5: 6142480f697426d754adf0c6e7fb5497
SHA1: 712666f6c412c29fea791c60a57ed9f3aaf667ec
SHA256: 1457321593712996a5f299347a9277f397cbfe419bf3e4988dff3501dd2a2be5
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 1.61 KB (1648 bytes) MD5: f0b762838a58148af445925733cd9f86
SHA1: 88e79bcd4894cb5e925478224fd699fa9e7058cf
SHA256: d719b2c869f90bf179a7dfe8b172d46fcac7d349bf20851c22973eba48675907
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 1.87 KB (1911 bytes) MD5: 1e6e690e73680731887d430e0869762b
SHA1: 1def27555742adec44d8ab74c884a27afdfcb9a3
SHA256: b886fa128a611ba1b079207e01b374ca8068ab4fddae8feaf2b858c1e3f36cc5
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 2.08 KB (2125 bytes) MD5: 67fe90eff4a2f2650148f6f11e7a693d
SHA1: 6ca287f3f0ed0201c7be6f5299419813fdb2a314
SHA256: 33af58cf34284d20cfad224c064e48d4c9ff080b38f35d214da2b0b18824c2c9
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 2.35 KB (2405 bytes) MD5: 56a1ece9daeb8537a56f19911a83b199
SHA1: 99899656a32c2c593b848dd375f53ce580276a69
SHA256: 15d63269a8dbfcce2099b9913ca67877cf662165de479943c83d1b72af4b5c11
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 2.61 KB (2672 bytes) MD5: 03d9a4a10c71791249e80820860a4772
SHA1: c42acfe22aea70c470c0bbafbbc8f80230bd2a75
SHA256: fd395968c56a16d75076f1cd6a419a7e8b323a1123241efccf3328875a2b5e85
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 2.88 KB (2953 bytes) MD5: 12b2fb63c9d060744945e33af1c1d6ef
SHA1: 52ae7aed5e40f16d392afa7eb59408dca6113aa6
SHA256: 47e873983d945ffb5758832dd38cb8ce4bbaa825daf9fb5916021734d521aa55
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 3.14 KB (3216 bytes) MD5: 562718cc0f9dde290ed96144b8748924
SHA1: 42a2d996649d6169dd012fd6ec4c8521c6d1d7dc
SHA256: b563f6a196269196c279309972f9a89acd9e2e4617189ab1f66aaa88bf75e2a6
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 3.36 KB (3441 bytes) MD5: 0208276064edd371df9848924d2ce52d
SHA1: 60f93d5902a52b9907367c4fc8c35e28bdc0aeec
SHA256: d0a1ec62d000edaa129c3222687eb7d88abe1a8bb85861a716d00d80d84708cb
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 3.63 KB (3720 bytes) MD5: b3e4bc7bce0449140c64a20417806736
SHA1: 6a838d862582ad885d06c270bd7e53735319ce12
SHA256: cf71b8662a2d46c3719bfe02b97e9aab66be023de85dd6a49126f79cb6b134b7
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 3.89 KB (3979 bytes) MD5: ab7ddef34dd4e99db84d975b083de0d6
SHA1: aa71c4be3d1c4bc3aa1a3f114fc6749dcb8a4040
SHA256: 315d798eadba544f89087288724ad849cf7cc25efaf9583804e3eb3e079ae930
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 4.15 KB (4252 bytes) MD5: 658f9d71ddc6ec54bf9b6aec30d3cc5c
SHA1: a8a7679c5b026ee35aee89fd82977cd03184bd1d
SHA256: ef25c2ead97bd3d50fb29f2b839bd22de88aabcaf9be950257f5da707d309ba2
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 4.38 KB (4488 bytes) MD5: 0b543aac930cd2d9562a2ae37a232394
SHA1: d55c49127a48a15e742c8301f1adfc5150644c24
SHA256: 8f4de247957a1dcadc2e773f496449e7c8dd4a4f9e5757e070d3b9b86471df0e
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 4.53 KB (4634 bytes) MD5: 777fb81ebcdc022b739ee4b76c9d5df8
SHA1: 70b777c0c27c1671963967f24b848ec324e0b1b6
SHA256: 65bc0257ba4496f4b6787110f355626018dd87874a6e63d56ffcb732f04fca9a
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 4.66 KB (4773 bytes) MD5: b792ee8d6e31c5581599e6a89954153a
SHA1: 25e49f913f5429deef37440b2d365cd02e0c2ba0
SHA256: 6a185d6e5d87ecf0d254fe8e47d9af25d1422fbdabfeb1013130719bbf4c536f
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 4.79 KB (4908 bytes) MD5: bf8342780823e7fa44222be101e34cfe
SHA1: b4b72399aba5fa5ef3300eb2f9b4897dcff4b7c3
SHA256: 3e8699ac936f447bee469056d62db8c7301de1c7dc15e1ae24bd8fe4f438e220
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 4.93 KB (5052 bytes) MD5: 0eec26117a364bab41c65b8be51bf2a4
SHA1: 11f350a58a993bd65365e1d38861300df4edf846
SHA256: 1b67bd51942f805a1c384bc2c52a2d6277663a023268dbd7c6da31bc2f9f935d
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 5.07 KB (5192 bytes) MD5: 60dcaf9c56f8d66145f69c96a47d76fb
SHA1: 4be74bc99b72d84fede317d5d732e4a271897723
SHA256: 15fe4ca92da1c77194de1581042d01da407d6c8ce64d5fe0e883d49a3feabda2
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 5.21 KB (5335 bytes) MD5: 60afd01276a7217536508e7d8dcf7722
SHA1: 48b272c35290690ff2a7719b0e30d1dfd081c09c
SHA256: 630d9367a0c625eb56828ee87ffde3e7d4c1a8fb1f7bc0d0882e404ac786c31c
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 5.90 KB (6038 bytes) MD5: c4e9d5d89ef582566b872e3df3baadac
SHA1: 8eb453ea778bd905062afea5f2311d33ed679551
SHA256: 6b2b6639e4d53535197d9bbc35f8b66924ab8de931c7e736a16620309f77304d
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 6.04 KB (6190 bytes) MD5: 742a63b65e9f6e45ac49368d223529ad
SHA1: 8d83f521c3a1deb650ad57bec34d034b337e5fe8
SHA256: 271d6db98241bec76c1e506395c0b55b6f2362de0e30a3be2ceea129dab15768
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 6.19 KB (6338 bytes) MD5: 01b7f7e06d6ab697fd90fd2bfb7a436f
SHA1: 8146f3ce0707a8eba00321dc01c3933090ece463
SHA256: 9bfefe3527f1ba567e6ecb8967f435b5039c04ac25113281e82fe824635c6105
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 6.33 KB (6486 bytes) MD5: 3f9d60b99925d17d305c8de36efba69e
SHA1: 1452bd2ed0e3a6d34f660e7c500779f77a3a3ab4
SHA256: 12819b07bcfdc3ee0fb7c58332db4f18bd9fbee87ea5ec2c7d1dd8747476812f
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 6.47 KB (6630 bytes) MD5: ec89e8caae91162a4c14e37c3ee0f430
SHA1: 36801dd88a32a839c211f1e88f813418397de0fc
SHA256: 3dc0176abe4597044a51d5015e29f83e9d103cee9e8d555a7110fd309dc9a7fe
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 6.62 KB (6774 bytes) MD5: b65734e1f4fdd0ad4184482f1e3181bd
SHA1: 70e650ac0e1f5ca5ae24ae87779ad54818075f76
SHA256: 0bab7331b42fde8dad5c7c905bb5457b77807025122b182fcafe96e6946a6535
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 9.00 KB (9212 bytes) MD5: 4e77889fc8fc893ddd18911ef58a2d80
SHA1: c0f447fe92b4e8e015b77b002e4f69a23d6bcc52
SHA256: f3eba3caf493ae6f20f1f471d2ee2a89f20a67b9049f14488d016fc7432370f2
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 9.14 KB (9359 bytes) MD5: 06fe29029ef50296c78ca70fc8161ce2
SHA1: bd91aa1ff29a4dce613641ed503a8c5e7767bcf4
SHA256: 8de91be2daf94ae434445478a545bc64ab66e3e46c6502d3ab5d6b5f3cdee346
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 57.87 KB (59258 bytes) MD5: b8959860eeb641326a8c1fea8b88c747
SHA1: 1414a403573ca8ed711432b4411b2c40900b0874
SHA256: f7449b824eee3a46d9694a152b77865eda9efaa51670eeb3764b4296fde5ecbf
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 58.18 KB (59575 bytes) MD5: 5f905eb958e44c3504454719df7830ee
SHA1: 2d308753953c59878409e7aa63c945ec315d7801
SHA256: 7a2f8c532146fa93821473e907e05e27b2df0633e79accc0d837be2a5a8998d4
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 58.95 KB (60368 bytes) MD5: f5de183a5d8b7fb45581d38d3a9d8996
SHA1: 180472a99a10d21371fee89b7af6dbc5bfd9f1f5
SHA256: 4b7b34da9e1cc63ee083c18b891cdd60b1d0c37be3a11bce981b4200ba4083f4
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 59.09 KB (60513 bytes) MD5: cf8e0558f3ebe23d18591c885e5cc90d
SHA1: 85f405b7efb91ff6695a46a086ccd23db0abbeaa
SHA256: 18276ea5d5978cdbc1c6958afd99d1310be7308a70e2d20272b57f04337a7461
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 59.23 KB (60654 bytes) MD5: 4c79fd219ccba9da9aa4d940cab0643e
SHA1: 76ae8b91ce20ce8a192eb89a685ce525f8600356
SHA256: 4e82cc39c4ee7af1ca6902129d6dae03019e4631bc3c2843fda6948c62f5410c
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 59.54 KB (60968 bytes) MD5: 977667f81f4c9395fac951940fe21608
SHA1: 7e74ead716a09bbcdf763eedc9c07e3f7b0d4d9b
SHA256: 74ad3170284612c1b4acfa5c03b20b0464f3838f8684f221c4a806413df2b56d
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 61.09 KB (62558 bytes) MD5: 719eefaf8ed61dd59151a03ae5d7489c
SHA1: c4991e51668ce2b1368012e94fdd175f44bb0059
SHA256: 64a059a6c66557c5d016e5eb4be0c16a473cdf8af26a38ad2751c37f998ffedd
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 61.34 KB (62809 bytes) MD5: e83d0a37f12fa9e077aebd6dc7196962
SHA1: 7ec7656e4926b37bc18831931ee9672458f89200
SHA256: 4e304ab43ac39dd7c0ad374a1e78f358a0961d18e9b3dbe2a05a715bf95e8557
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 61.59 KB (63066 bytes) MD5: 35fd8847359a0d204fa890921bcfbd70
SHA1: 1a52236fc03ca560abcf875d746323e9eaeeb2af
SHA256: 5cd77d2d534397fceab04193c57cdeddb35183e98e9dcd325f9d973d5b83468f
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 61.86 KB (63346 bytes) MD5: 5101d7a955e3ab8c8c99b2d3ecd64fb5
SHA1: 1191cff510788667804fca47b8dbaa2b49f9531a
SHA256: 869d6dfd5153cebd0d705bc1d1a9b5d5ef2380ce504a190ec48c1e707bdb4966
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 62.10 KB (63594 bytes) MD5: 89d13e2e1ee97cd12ab6399ab713dba7
SHA1: 3daac12bdc5e4b36c3d056b0f98e65f85fa50ce3
SHA256: d830abc9df6880dcf4e4f269d0b97f3b07cce833b6a85d5d78f77ae00dca1cc0
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 62.35 KB (63851 bytes) MD5: 6aca05d501f8ee1356089497c803e7e8
SHA1: a1d710c54ae660f80379858bb3242e46a9227fea
SHA256: acbc12a2880b8dc30bc8b593f9401316052e0379879e56091bb3bab2ddc83dbe
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 62.63 KB (64131 bytes) MD5: 74d7bba8446d3dd10539749ee3828bf0
SHA1: fc81b7afafdc6211a5799c67975b53a1a08ac427
SHA256: 7c987505acc3664a81e0790b10f13e66166e40d34549816cd8478b99d24a3f4a
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 62.87 KB (64379 bytes) MD5: 7b22368e6fa7be6a9367814f1140b7d0
SHA1: cdfe46b447c18ecfcc8544518e01397fb384a58f
SHA256: 983dff21ea81b8e17e032bbba44bf1ea80b73a67b2710bce905bc998562f02ad
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 63.12 KB (64640 bytes) MD5: a12970b34917a4567691fe0cc637098b
SHA1: 677b21967390ad5ab423d533d5656b2e857bfe7f
SHA256: b4e5db19ff959d6fd4b8a7165af593ea5995b0b2bb2fcbe06f825a9f32ce6100
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 63.40 KB (64920 bytes) MD5: e1423f9fd3d28137e487941bf42d59d2
SHA1: 5982ac554ff115d5159671ba88f2ebe7bd45b357
SHA256: 4518bcc0e6f8f524c42395ce3beec9e04c52e34caf83716d45328c9e6e350a61
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 63.64 KB (65169 bytes) MD5: e32fbd49fe8892e926ee9099f74a9406
SHA1: 846845be56de8307b9d065253d0855c783c206d9
SHA256: fdd9ab6a7e272a8a0523c7f1ee23307057dd76c93eef0c6731f9d65e58a64782
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 63.90 KB (65430 bytes) MD5: 41dee095438331c85337715471144b2b
SHA1: fa9d558bc5dd89e66e309e7c121c9f71bd913ac1
SHA256: ec47911cdfbcf12a5459876ede2946ec799e9272b67323a295eef03821da611c
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 64.17 KB (65711 bytes) MD5: d673e9072973fd465b31987dbc0611ee
SHA1: 778a8394ba15345051af228735da0ba0b7ab9009
SHA256: 559cffc7b745e6ba7b83b03950f3286eaa220ee2c922d03f3022a935e63c787a
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 64.40 KB (65948 bytes) MD5: dab78359a22d68a1e3936c59eb0fedc0
SHA1: 01d315deb0f808282ced752c8d693ea8c2e05d2f
SHA256: 52345e8c8ccf23e003b18121a74687b2fd466d6f5eac4760603b6582eeb4193f
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 64.63 KB (66184 bytes) MD5: fa0de1182a9bde039f0ec5d2cbc211af
SHA1: 241af6d21cff774017f0eb9cff72f22bab8eab30
SHA256: 4918121ec42b8b044919aa1d531be1f82a6789d06c213714ca1a996932a3be38
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 64.86 KB (66420 bytes) MD5: 3371590e60e649b4de8a73afa9dcb93f
SHA1: 6cb98960b6f0bbf7797d7244ca2d1b6d853ce097
SHA256: d73fcf1f6d1a6a7e907eef527aebc91c79a0ddb89b1242d184b3aba80e7c7159
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 65.09 KB (66656 bytes) MD5: 3a3f49e988741e8e852de274921cafa8
SHA1: 78372b93d84a597e8cb225708b3665c5c8832322
SHA256: 2655969808e511b23ed29c1546e83a4c82d39889cc075bfc86bff8747325e066
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 65.32 KB (66892 bytes) MD5: ee8abd6ad7a0dda0a53cf8a22688c580
SHA1: 91f83060394aa7674c9a135bc4c9d6508a534e13
SHA256: a15093931269db8f9281f5c4777546856f3c8f8adef3569a8052c1b16bc95b22
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 65.60 KB (67174 bytes) MD5: c73560dc36b9fa1406fee74e909a1928
SHA1: 6d0bcf3936bfc4202f828e2921370a2aacfd280b
SHA256: 41a68f203a733f0f4f2b56e001dba5a773eeee8b83b4fc0938a6c5436809650a
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 65.87 KB (67447 bytes) MD5: 53054daedfef2d4df376fd30e8d05bec
SHA1: 2c61e80cfd89b18cf6595b9c2d1d5740a2b642ef
SHA256: 29e66449359c00285da96c5c30c97d4bb41e3618532059988531bf9176b99b56
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 66.08 KB (67661 bytes) MD5: f923413fcb241a839ff9dac023e67239
SHA1: 368ea75d9e40ca03b81e0f5c1d993dc9e8e4e975
SHA256: 43df8f131145a72bfc9e4ddfc662e3d104c0dc0f78f38fa56ab65993c552683c
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 66.35 KB (67941 bytes) MD5: cb604971b422caf88e36a7b9df2f34f5
SHA1: eff3450b4333718b638a52f856795b9f7341ce34
SHA256: 333329b911c3bfb71cab7e282a5af8b98b5bf06094fceaf3333b5b382468de4f
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 66.61 KB (68208 bytes) MD5: 98f2a758cc7a4f91784500c4611aba65
SHA1: a18863dba063432401ee1aabccb8e823bab8c760
SHA256: 9dba5e3efea4789595a3377f7f05c6143f73a32b4d77a2f6eb6503798e92ee90
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 66.83 KB (68433 bytes) MD5: 74cfc4d8677f142d44a5bc2e62fbbb76
SHA1: 9a844e74f70fa704f220dc17d1cd106edd178af5
SHA256: 6256c08a18c462914fdd78b08afc4507b6cb5317c2a9c309d332594bd28fb6c8
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 0.27 KB (274 bytes) MD5: 64f1830c9286c825ddb25313c564dcce
SHA1: dbd8ce6cedf20a300995e1a6202b7ac2527304e5
SHA256: d41480b84194701753760c6b52aa9bc577a96ae12d15e145f28bcfb883bf84b7
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 0.50 KB (510 bytes) MD5: 5f8a25cc1f314787827999f4673b1f83
SHA1: f48aca2b4ab2252c676a22b2e172ef2b1df5c614
SHA256: 965259d90b623fc3e3c9c01acca7fed77aa84be1a7ef06a36a4e4877b26cd829
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 0.76 KB (782 bytes) MD5: ad91b81d26949997ed07a5316154c8e2
SHA1: ae747597a7d8b1e3773d6ede29b22e89adb4cd6c
SHA256: 4e4886c649821454eb4003911915b81d398dc3af9b7dbef733a7b5c91040d253
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 1.03 KB (1055 bytes) MD5: f99423713a627a420a6cb5fbf51e955a
SHA1: 9cfd490da9ab6c96c3e2120a7fbc81cdd7017b0c
SHA256: 58b2c86bede34764b794d5517e171c8e6547b0529db29c3c837b5f377f8e6214
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 1.30 KB (1336 bytes) MD5: 69e2528c964f38a71bc8af808d3bcde0
SHA1: 58e41afbadf13a58589d1559a9b831f12b111221
SHA256: 96e34349cbb6b18028231e3ecf762a1b9c7c44e43851762a51122ad32744056a
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 1.56 KB (1599 bytes) MD5: c288f198ffffa440be84a8037277572b
SHA1: 8ca8d273dcb495c8acac03c89e62bcaf9ca9266d
SHA256: ca11067f5a63b9b7b7417b49586580125bf15eaa63ef19b01d0900cf7a593703
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 1.84 KB (1880 bytes) MD5: 9f589c1eb5d7c684b28468cb8797fea7
SHA1: d8ef50a0cd4c3dbdbd786e76199257dd489b0a6e
SHA256: f1b48fb832e3497a07985836c4dbf335168339574b844bf9e87234e117fd58ad
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 2.09 KB (2143 bytes) MD5: 80f77b2c7ae13b70dc73079dd0f90458
SHA1: efcba073526fafc162456ff153485274eb6b3625
SHA256: 2095255108dbe238b465278bdce6105b35dd7ebaecfd17e2cfd3a6ff04fc5405
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 2.37 KB (2422 bytes) MD5: c668bca5b35c9d76fba586282b49534f
SHA1: 59b095861e759288fdcdccd696e71df60255e083
SHA256: a605ba00937e533eb3fac2fa4da6be900a86a80697f805a8aba896b6a2652f81
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 2.62 KB (2681 bytes) MD5: 4beb05cf897cc4b3ca8204366a1c4db3
SHA1: 8bcbd9d2c82f2fad61fea4abcb5da1fa68ee02cd
SHA256: 486035ae475be0e61fecdfea8daaa99f50d470060f74737a4acca78df6489657
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 2.89 KB (2961 bytes) MD5: 7c3af3e6e4dae95a9e2f9e0000d8da9f
SHA1: 3cde48237a7876e1c761c0fc3c09863f332282de
SHA256: fd91cb3e5de4d8f8db8daa17a0d949e5199f42d885f6c48790527e8d2b6cf05c
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 3.14 KB (3218 bytes) MD5: 3b51544a4da8ec239a2d018439ca3678
SHA1: fbbaf67886925695eae5f403ef5be956a8e6bbb5
SHA256: 8d6b0c1c9e5fe6063d169f9dd41417976eac2ea4e2afbfba36decbde6ec7f32f
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 3.42 KB (3498 bytes) MD5: 698254390007dd7faece68a269abd736
SHA1: 8e8c7afdfc7883ad6cd34618adbf56cd96f06cb8
SHA256: f1aac149e8b8597ebd9d20154451c9788c73fee8a3542769663ca4c519e58159
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 3.67 KB (3755 bytes) MD5: a37c2debc8f32c5e7255c0c158f0a941
SHA1: cdad4f8149b67943dcf1db300223794829908c82
SHA256: 4282dada6036552c9f7f23863ef69329d1dee1da7646358e79f12810b93ee79d
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 3.94 KB (4035 bytes) MD5: dc0a9e47cf7dcccf687fdde2b3513185
SHA1: fcb69f4f889481691da2ab56771f4e744648d0a8
SHA256: fad0a7fc37eb112ab190268b9a0fda2188b9ed62c20788036ecbdd1a3b727cb4
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 4.20 KB (4296 bytes) MD5: f841972a36ea5b6654c8b0a32790b821
SHA1: e76e2025503dda2fd621518ba90ae6104b7535f7
SHA256: 1bc63479cec8c3780ef61bdf37ef4ab25e05469979dc1b7a170025c785a05ee3
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 4.47 KB (4577 bytes) MD5: 7480c8cdc7b9b961a4783326fb826aae
SHA1: db5b49ca1a20e46d8b244547f98774ff69c38a64
SHA256: abc4087c1fa593f0d99eee65150e2dce17d2ba5d0b595d3a940c97ec35fc7b2f
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 4.72 KB (4838 bytes) MD5: a4e392de6f566e05819621bb73bcbdf6
SHA1: 21569d3d1cc72323bc5ca8f6caaea917be8305eb
SHA256: b673d26910bd425fea48eb4d5958c321158932a50acabcf5cfd4000490ac7a61
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 4.96 KB (5074 bytes) MD5: 621a855ede4bd70aef48943907b297f8
SHA1: 61f759daebc70360f8171da11456d6404914d092
SHA256: a2c088557b827c66bc9bd108ca33be06d8f15d6cc68491587a20b41dfc6ddd98
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 5.19 KB (5310 bytes) MD5: 63fa073673f9ab09af518521cd1b00fa
SHA1: e25092f15bd872ad26fa53d0edea620c67e81a5f
SHA256: a93198adebd0e49cddee3990139b7f01155c79d2251b0e5ba414535ae5b04328
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 5.42 KB (5546 bytes) MD5: 067a9daf365c1efd630ac8a8af920a32
SHA1: 40eab30e8c6d95c336853123e1f1f70b737e4547
SHA256: 17b5b2b78a2364f0af1099e7cf1c3ed04e50533fdf9fec0e0a84c72fdf84d4d9
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 5.65 KB (5782 bytes) MD5: ad81fe88f09549cf2bcd0417668fe4da
SHA1: 07147f70e260aa29a568104719fd22aa8e084686
SHA256: a020b455290e9b2e31a59350304698c91b4fa7fe8846bb310e41e3d85f7f1b37
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 5.92 KB (6064 bytes) MD5: 06dda7053cfd4165953f7a353b2134a6
SHA1: e1df465c975ff322e1d6165f1a8113df85a33553
SHA256: c5fea23e6384bc807cedd16c27959a640971ad7b701bc306791d234bdd5d4eb4
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 6.19 KB (6337 bytes) MD5: 6bc3c3afda7ff5a7dc2b559f5c41f65c
SHA1: 553e54cce0e59c8e974f58807dd143bc712f322c
SHA256: c034b7a67650ce7b70cf533d069b0bf469e90805dbe107e7bcd59512e3ae5acd
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 6.40 KB (6551 bytes) MD5: 27f3b86195fce58a40e9b32f14bff099
SHA1: 43b464483c9e17967668bc91409d376be4f6cf16
SHA256: 2c069299e49aa2c287dbf32e8bf0c427215a3ddbfe63793c11f6f315299dd3c7
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 6.67 KB (6831 bytes) MD5: 45515a677d63c95eeedfaee2781dcb0f
SHA1: 6667ced5877e6bf00907080a3cd1aa65257ae5ed
SHA256: ccaeebc91710297bfbb6f5b25fa5bb84d899b398d81e25b9d57e2bc5aa7fb68c
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 6.93 KB (7098 bytes) MD5: 94f6be19ff82523b8e30082a617dc324
SHA1: a5a201ff6481f749ff7184629103426c86b6e12d
SHA256: 71d40b8ac38a0b256115e8c1d656a4ea29387c28fde56634dcb8c09fb0994aac
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 7.15 KB (7323 bytes) MD5: 29670c5d286f19a05daaa33a87b3d3df
SHA1: 472724fd66d7a23bfdcba8dd651256da68dc042f
SHA256: c4ea6c33939d89e1a00f96ba432c2c50822faa11d55ff19fb75d305aa1730d61
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix 0.27 KB (274 bytes) MD5: 719e9318cdaae5ad210f110815179c49
SHA1: 9813d1589720682ffae4cf8386d74a4c8fdde38f
SHA256: 82756da1587b57c96bfb939814c52d621d92dd3a85517e7b17bac8d8fbc3c8a4
False
Host Behavior
COM (1)
+
Operation Class Interface Additional Information Success Count Logfile
Create 0000031D-0000-0000-C000-000000000046 00000109-0000-0000-C000-000000000046 cls_context = CLSCTX_INPROC_SERVER True 1
Fn
File (42)
+
Operation Filename Additional Information Success Count Logfile
Create - desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ False 2
Fn
Create - desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 2
Fn
Create \??\C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\containers.exe desired_access = FILE_READ_EA, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\niEo_GlbFe5Pi.qef desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create Directory - - False 1
Fn
Get Info - type = file_attributes False 1
Fn
Get Info \??\C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\containers.exe type = extended True 1
Fn
Get Info C:\Users type = file_attributes True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps type = file_attributes True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData type = file_attributes True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming type = file_attributes True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia type = file_attributes True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player type = file_attributes True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com type = file_attributes True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support type = file_attributes True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer type = file_attributes True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys type = file_attributes True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix type = size, size_out = 0 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix type = size, size_out = 261 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\niEo_GlbFe5Pi.qef type = size, size_out = 0 True 1
Fn
Open STD_INPUT_HANDLE - True 1
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Read C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix size = 261, size_out = 261 True 1
Fn
Data
Write C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix size = 261 True 1
Fn
Data
Write C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix size = 521 True 1
Fn
Data
Registry (9)
+
Operation Key Additional Information Success Count Logfile
Open Key HKEY_CLASSES_ROOT\AppID\{10000002-0000-0000-0000-000000000001} - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion - True 2
Fn
Open Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi - True 1
Fn
Read Value HKEY_CLASSES_ROOT\AppID\{10000002-0000-0000-0000-000000000001} value_name = AccessPermission False 1
Fn
Read Value HKEY_CLASSES_ROOT\AppID\{10000002-0000-0000-0000-000000000001} value_name = AccessPermission, data = 0 False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion value_name = InstallDate, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion value_name = DigitalProductId False 1
Fn
Read Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi value_name = Axoha, type = REG_NONE False 1
Fn
Process (2)
+
Operation Process Additional Information Success Count Logfile
Create C:\Windows\SysWOW64\svchost.exe -k netsvcs os_pid = 0xa88, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE True 1
Fn
Create C:\Windows\SysWOW64\svchost.exe -k netsvcs os_pid = 0xea0, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE True 1
Fn
Thread (2)
+
Operation Process Additional Information Success Count Logfile
Create C:\Windows\SysWOW64\svchost.exe -k netsvcs proc_address = 0x4f0b50c, proc_parameter = 0, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create C:\Windows\SysWOW64\svchost.exe -k netsvcs proc_address = 0x485b50c, proc_parameter = 0, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Memory (10)
+
Operation Process Additional Information Success Count Logfile
Allocate C:\Windows\SysWOW64\svchost.exe -k netsvcs address = 0x4f00000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 131072 True 1
Fn
Allocate C:\Windows\SysWOW64\svchost.exe -k netsvcs address = 0x4850000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 131072 True 1
Fn
Write C:\Windows\SysWOW64\svchost.exe -k netsvcs address = 0x4f00000, size = 131072 True 1
Fn
Data
Write C:\Windows\SysWOW64\svchost.exe -k netsvcs address = 0x4f1b6a4, size = 4 True 1
Fn
Data
Write C:\Windows\SysWOW64\svchost.exe -k netsvcs address = 0x4f1b7c0, size = 4 True 1
Fn
Data
Write C:\Windows\SysWOW64\svchost.exe -k netsvcs address = 0x4f1bdb4, size = 4 True 1
Fn
Data
Write C:\Windows\SysWOW64\svchost.exe -k netsvcs address = 0x4850000, size = 131072 True 1
Fn
Data
Write C:\Windows\SysWOW64\svchost.exe -k netsvcs address = 0x486b6a4, size = 4 True 1
Fn
Data
Write C:\Windows\SysWOW64\svchost.exe -k netsvcs address = 0x486b7c0, size = 4 True 1
Fn
Data
Write C:\Windows\SysWOW64\svchost.exe -k netsvcs address = 0x486bdb4, size = 4 True 1
Fn
Data
Module (48)
+
Operation Module Additional Information Success Count Logfile
Load KERNEL32.dll base_address = 0x76bc0000 True 1
Fn
Load USER32.dll base_address = 0x74500000 True 1
Fn
Load NTDLL base_address = 0x77190000 True 2
Fn
Load SSPICLI base_address = 0x742a0000 True 1
Fn
Load api-ms-win-core-com-l1-1-0 base_address = 0x76cf0000 True 1
Fn
Load psapi.dll base_address = 0x76450000 True 1
Fn
Get Handle c:\windows\syswow64\kernel32.dll base_address = 0x76bc0000 True 2
Fn
Get Handle c:\windows\syswow64\ntdll.dll base_address = 0x77190000 True 4
Fn
Get Handle c:\windows\syswow64\advapi32.dll base_address = 0x75d40000 True 3
Fn
Get Handle c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\containers.exe base_address = 0x20c80000 True 1
Fn
Get Handle c:\windows\syswow64\shlwapi.dll base_address = 0x75dc0000 True 1
Fn
Get Handle c:\windows\syswow64\secur32.dll base_address = 0x73c40000 True 1
Fn
Get Handle c:\windows\syswow64\shell32.dll base_address = 0x74760000 True 1
Fn
Get Handle c:\windows\syswow64\ole32.dll base_address = 0x74640000 True 1
Fn
Get Handle psapi.dll base_address = 0x0 False 1
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\containers.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\containers.exe, size = 260 True 1
Fn
Get Filename psapi.dll process_name = c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\containers.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\containers.exe, size = 260 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsAlloc, address_out = 0x76bda330 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsGetValue, address_out = 0x76bd7580 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsSetValue, address_out = 0x76bd9910 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsFree, address_out = 0x76bdf400 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = memcpy, address_out = 0x771fe7b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InterlockedExchange, address_out = 0x76bd7650 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapCreate, address_out = 0x76bd9950 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapFree, address_out = 0x76bd25e0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapReAlloc, address_out = 0x771cbae0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapAlloc, address_out = 0x771cda90 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapDestroy, address_out = 0x76bdd940 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetProcessHeap, address_out = 0x76bd7910 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InterlockedIncrement, address_out = 0x76bd7520 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleHandleA, address_out = 0x76bd9640 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = Sleep, address_out = 0x76bd77b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LoadLibraryA, address_out = 0x76bdd8d0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LoadLibraryW, address_out = 0x76bda0b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetProcAddress, address_out = 0x76bd7940 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleHandleW, address_out = 0x76bd9660 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = LoadImageW, address_out = 0x74534500 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = RtlAddVectoredExceptionHandler, address_out = 0x771ef090 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = RtlInitializeCriticalSection, address_out = 0x771e95f0 True 1
Fn
Get Address c:\windows\syswow64\sspicli.dll function = GetUserNameExW, address_out = 0x742ac5f0 True 1
Fn
Get Address c:\windows\syswow64\combase.dll function = CLSIDFromString, address_out = 0x76da1390 True 1
Fn
Window (1)
+
Operation Window Name Additional Information Success Count Logfile
Create - class_name = static, wndproc_parameter = 0 True 1
Fn
System (45)
+
Operation Additional Information Success Count Logfile
Get Computer Name result_out = LHNIWSJ True 33
Fn
Get Time type = System Time, time = 2017-11-30 14:35:36 (UTC) True 5
Fn
Get Time type = Local Time, time = 2017-12-01 01:35:36 (Local Time) True 4
Fn
Get Info type = Operating System False 3
Fn
Mutex (16)
+
Operation Additional Information Success Count Logfile
Create mutex_name = 8C5FF35F44C67C34381EFF128FE58575 True 1
Fn
Create mutex_name = BA375714EF21E8EC8F43FB71FA3700CC True 3
Fn
Create mutex_name = DD53550AC9EB25CC6151CE1EB2A70FC3 True 1
Fn
Create mutex_name = EF45F0E754F1354293A017BE4F985965 True 1
Fn
Create mutex_name = E69AF5C9A1CE7CC06B48F35248935FCD True 1
Fn
Open mutex_name = 4F35AC27449784784508471CC1E930C7, desired_access = SYNCHRONIZE True 1
Fn
Open mutex_name = 8EB663269EDB2551D78D6BE980D8D1D5, desired_access = SYNCHRONIZE False 2
Fn
Open mutex_name = 8592029A1BBD0F5EDCA2A860E613ACDB, desired_access = SYNCHRONIZE False 2
Fn
Release mutex_name = 8C5FF35F44C67C34381EFF128FE58575 True 1
Fn
Release mutex_name = BA375714EF21E8EC8F43FB71FA3700CC True 3
Fn
Environment (1)
+
Operation Additional Information Success Count Logfile
Get Environment String - True 1
Fn
Data
Process #3: cmd.exe
(Host: 106, Network: 0)
+
Information Value
ID #3
File Name c:\windows\syswow64\cmd.exe
Command Line "C:\Windows\system32\cmd.exe" /c "C:\Users\CIIHMN~1\AppData\Local\Temp\upd7d80021e.bat"
Initial Working Directory C:\Users\CIiHmnxMn6Ps\Desktop\
Monitor Start Time: 00:00:41, Reason: Child Process
Unmonitor End Time: 00:15:27, Reason: Terminated by Timeout
Monitor Duration 00:14:46
OS Process Information
+
Information Value
PID 0xd2c
Parent PID 0xfc0 (c:\users\ciihmnxmn6ps\desktop\zeuspanda.vir.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username LHNIWSJ\CIiHmnxMn6Ps
Groups
  • LHNIWSJ\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Local account and member of Administrators group (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • BUILTIN\Administrators (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, OWNER)
  • BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Local account (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Logon Session 00000000:00013d92 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID)
  • LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x D3C
0x 7D8
Region
+
Name Start VA End VA Type Permissions Monitored Dump YARA Match Actions
private_0x0000000000470000 0x00470000 0x0048ffff Private Memory Readable, Writable True True False
pagefile_0x0000000000470000 0x00470000 0x0047ffff Pagefile Backed Memory Readable, Writable True False False
private_0x0000000000480000 0x00480000 0x00483fff Private Memory Readable, Writable True True False
private_0x0000000000490000 0x00490000 0x00491fff Private Memory Readable, Writable True True False
private_0x0000000000490000 0x00490000 0x00493fff Private Memory Readable, Writable True True False
pagefile_0x00000000004a0000 0x004a0000 0x004b3fff Pagefile Backed Memory Readable True False False
private_0x00000000004c0000 0x004c0000 0x004fffff Private Memory Readable, Writable True True False
private_0x0000000000500000 0x00500000 0x005fffff Private Memory Readable, Writable True True False
pagefile_0x0000000000600000 0x00600000 0x00603fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000610000 0x00610000 0x00610fff Pagefile Backed Memory Readable True False False
private_0x0000000000620000 0x00620000 0x00621fff Private Memory Readable, Writable True True False
private_0x0000000000630000 0x00630000 0x0066ffff Private Memory Readable, Writable True True False
private_0x0000000000670000 0x00670000 0x0067ffff Private Memory Readable, Writable True True False
cmd.exe.mui 0x00680000 0x006a0fff Memory Mapped File Readable False False False
private_0x00000000006c0000 0x006c0000 0x006cffff Private Memory Readable, Writable True True False
locale.nls 0x006d0000 0x0078dfff Memory Mapped File Readable False False False
private_0x0000000000870000 0x00870000 0x0096ffff Private Memory Readable, Writable True True False
private_0x0000000000970000 0x00970000 0x00a6ffff Private Memory Readable, Writable True True False
private_0x0000000000bc0000 0x00bc0000 0x00bcffff Private Memory Readable, Writable True True False
cmd.exe 0x00d90000 0x00ddffff Memory Mapped File Readable, Writable, Executable True False False
pagefile_0x0000000000de0000 0x00de0000 0x04ddffff Pagefile Backed Memory - True False False
wow64cpu.dll 0x5c9f0000 0x5c9f7fff Memory Mapped File Readable, Writable, Executable False False False
wow64win.dll 0x5ca00000 0x5ca72fff Memory Mapped File Readable, Writable, Executable False False False
wow64.dll 0x5ca80000 0x5cacefff Memory Mapped File Readable, Writable, Executable False False False
cmdext.dll 0x731e0000 0x731e7fff Memory Mapped File Readable, Writable, Executable False False False
bcryptprimitives.dll 0x74230000 0x74288fff Memory Mapped File Readable, Writable, Executable False False False
cryptbase.dll 0x74290000 0x74299fff Memory Mapped File Readable, Writable, Executable False False False
sspicli.dll 0x742a0000 0x742bdfff Memory Mapped File Readable, Writable, Executable False False False
msvcrt.dll 0x75b80000 0x75c3dfff Memory Mapped File Readable, Writable, Executable False False False
advapi32.dll 0x75d40000 0x75dbafff Memory Mapped File Readable, Writable, Executable False False False
rpcrt4.dll 0x75e70000 0x75f1bfff Memory Mapped File Readable, Writable, Executable False False False
kernelbase.dll 0x75f20000 0x76095fff Memory Mapped File Readable, Writable, Executable False False False
sechost.dll 0x760a0000 0x760e2fff Memory Mapped File Readable, Writable, Executable False False False
kernel32.dll 0x76bc0000 0x76caffff Memory Mapped File Readable, Writable, Executable False False False
ntdll.dll 0x77190000 0x77308fff Memory Mapped File Readable, Writable, Executable False False False
pagefile_0x000000007e570000 0x7e570000 0x7e66ffff Pagefile Backed Memory Readable True False False
pagefile_0x000000007e670000 0x7e670000 0x7e692fff Pagefile Backed Memory Readable True False False
private_0x000000007e696000 0x7e696000 0x7e696fff Private Memory Readable, Writable True True False
private_0x000000007e699000 0x7e699000 0x7e69bfff Private Memory Readable, Writable True True False
private_0x000000007e69c000 0x7e69c000 0x7e69efff Private Memory Readable, Writable True True False
private_0x000000007e69f000 0x7e69f000 0x7e69ffff Private Memory Readable, Writable True True False
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True True False
private_0x000000007fff0000 0x7fff0000 0x7dfb3d30ffff Private Memory Readable True False False
pagefile_0x00007dfb3d310000 0x7dfb3d310000 0x7ffb3d30ffff Pagefile Backed Memory - True False False
ntdll.dll 0x7ffb3d310000 0x7ffb3d4d1fff Memory Mapped File Readable, Writable, Executable False False False
private_0x00007ffb3d4d2000 0x7ffb3d4d2000 0x7ffffffeffff Private Memory Readable True False False
Host Behavior
File (69)
+
Operation Filename Additional Information Success Count Logfile
Create C:\Users\CIIHMN~1\AppData\Local\Temp\upd7d80021e.bat desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 5
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\upd7d80021e.bat desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE False 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\Desktop type = file_attributes True 3
Fn
Get Info - type = file_type True 5
Fn
Get Info C:\Users\CIiHmnxMn6Ps\Desktop\zeuspanda.vir.exe type = file_attributes True 2
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\upd7d80021e.bat type = file_attributes True 2
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp type = file_attributes True 1
Fn
Get Info STD_ERROR_HANDLE type = file_type True 1
Fn
Open STD_OUTPUT_HANDLE - True 13
Fn
Open STD_INPUT_HANDLE - True 7
Fn
Open - - True 20
Fn
Open STD_ERROR_HANDLE - True 3
Fn
Read - size = 8191, size_out = 206 True 1
Fn
Data
Read - size = 8191, size_out = 195 True 1
Fn
Data
Read - size = 8191, size_out = 191 True 1
Fn
Data
Read - size = 8191, size_out = 130 True 1
Fn
Data
Read - size = 8191, size_out = 63 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 33 True 1
Fn
Data
Registry (17)
+
Operation Key Additional Information Success Count Logfile
Open Key HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Command Processor - True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DisableUNCCheck, data = 218, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = AutoRun, data = 64, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DisableUNCCheck, data = 64, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = AutoRun, data = 9, type = REG_NONE False 1
Fn
Module (8)
+
Operation Module Additional Information Success Count Logfile
Get Handle c:\windows\syswow64\cmd.exe base_address = 0xd90000 True 1
Fn
Get Handle c:\windows\syswow64\kernel32.dll base_address = 0x76bc0000 True 2
Fn
Get Filename - process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadUILanguage, address_out = 0x76c02780 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CopyFileExW, address_out = 0x76bdfa80 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsDebuggerPresent, address_out = 0x76bda790 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetConsoleInputExeNameW, address_out = 0x760335c0 True 1
Fn
Environment (12)
+
Operation Additional Information Success Count Logfile
Get Environment String - True 4
Fn
Data
Get Environment String name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ True 1
Fn
Get Environment String name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC True 2
Fn
Get Environment String name = PROMPT False 1
Fn
Get Environment String name = COMSPEC, result_out = C:\Windows\system32\cmd.exe True 1
Fn
Get Environment String name = KEYS False 1
Fn
Set Environment String name = PROMPT, value = $P$G True 1
Fn
Set Environment String name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop True 1
Fn
Process #5: svchost.exe
(Host: 2234, Network: 41)
+
Information Value
ID #5
File Name c:\windows\syswow64\svchost.exe
Command Line C:\Windows\SysWOW64\svchost.exe -k netsvcs
Initial Working Directory C:\Users\CIiHmnxMn6Ps\AppData\Roaming\
Monitor Start Time: 00:01:41, Reason: Child Process
Unmonitor End Time: 00:15:27, Reason: Terminated by Timeout
Monitor Duration 00:13:46
OS Process Information
+
Information Value
PID 0xa88
Parent PID 0xd34 (c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\containers.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username LHNIWSJ\CIiHmnxMn6Ps
Groups
  • LHNIWSJ\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Local account and member of Administrators group (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • BUILTIN\Administrators (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, OWNER)
  • BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Local account (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Logon Session 00000000:00013d92 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID)
  • LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 18C
0x D28
0x 9E0
0x 538
0x E98
0x 8D4
0x E94
0x E84
0x E8C
0x E90
0x C54
0x C40
0x C2C
0x C18
0x C04
0x 440
Region
+
Name Start VA End VA Type Permissions Monitored Dump YARA Match Actions
svchost.exe 0x00370000 0x0037afff Memory Mapped File Readable, Writable, Executable False False False
pagefile_0x0000000000e00000 0x00e00000 0x04dfffff Pagefile Backed Memory - True False False
private_0x0000000004e00000 0x04e00000 0x04e1ffff Private Memory Readable, Writable True True False
pagefile_0x0000000004e00000 0x04e00000 0x04e0ffff Pagefile Backed Memory Readable, Writable True False False
svchost.exe.mui 0x04e10000 0x04e10fff Memory Mapped File Readable False False False
private_0x0000000004e20000 0x04e20000 0x04e21fff Private Memory Readable, Writable True True False
private_0x0000000004e20000 0x04e20000 0x04e20fff Private Memory Readable, Writable True True False
pagefile_0x0000000004e30000 0x04e30000 0x04e43fff Pagefile Backed Memory Readable True False False
private_0x0000000004e50000 0x04e50000 0x04e8ffff Private Memory Readable, Writable True True False
private_0x0000000004e90000 0x04e90000 0x04ecffff Private Memory Readable, Writable True True False
pagefile_0x0000000004ed0000 0x04ed0000 0x04ed3fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000004ee0000 0x04ee0000 0x04ee0fff Pagefile Backed Memory Readable True False False
private_0x0000000004ef0000 0x04ef0000 0x04ef1fff Private Memory Readable, Writable True True False
private_0x0000000004f00000 0x04f00000 0x04f1ffff Private Memory Readable, Writable, Executable True True False
private_0x0000000004f20000 0x04f20000 0x04f5ffff Private Memory Readable, Writable True True False
private_0x0000000004f20000 0x04f20000 0x04f20fff Private Memory Readable, Writable True True False
private_0x0000000004f20000 0x04f20000 0x04f82fff Private Memory Readable, Writable True True False
private_0x0000000004f20000 0x04f20000 0x04f20fff Private Memory Readable, Writable True True False
private_0x0000000004f20000 0x04f20000 0x04f20fff Private Memory Readable, Writable True True False
private_0x0000000004f20000 0x04f20000 0x04f20fff Private Memory Readable, Writable True True False
private_0x0000000004f20000 0x04f20000 0x04f20fff Private Memory Readable, Writable True True False
private_0x0000000004f20000 0x04f20000 0x04f20fff Private Memory Readable, Writable True True False
private_0x0000000004f20000 0x04f20000 0x04f20fff Private Memory Readable, Writable True True False
private_0x0000000004f20000 0x04f20000 0x04f20fff Private Memory Readable, Writable True True False
private_0x0000000004f20000 0x04f20000 0x04f20fff Private Memory Readable, Writable True True False
private_0x0000000004f20000 0x04f20000 0x04f20fff Private Memory Readable, Writable True True False
private_0x0000000004f20000 0x04f20000 0x04f20fff Private Memory Readable, Writable True True False
private_0x0000000004f20000 0x04f20000 0x04f20fff Private Memory Readable, Writable True True False
private_0x0000000004f20000 0x04f20000 0x04f20fff Private Memory Readable, Writable True True False
private_0x0000000004f20000 0x04f20000 0x04f20fff Private Memory Readable, Writable True True False
private_0x0000000004f20000 0x04f20000 0x04f20fff Private Memory Readable, Writable True True False
private_0x0000000004f20000 0x04f20000 0x04f21fff Private Memory Readable, Writable True True False
pagefile_0x0000000004f20000 0x04f20000 0x04f20fff Pagefile Backed Memory Readable, Writable True False False
counters.dat 0x04f30000 0x04f30fff Memory Mapped File Readable, Writable True True False
private_0x0000000004f40000 0x04f40000 0x04f7ffff Private Memory Readable, Writable True True False
private_0x0000000004f60000 0x04f60000 0x04f9ffff Private Memory Readable, Writable True True False
pagefile_0x0000000004f80000 0x04f80000 0x04f81fff Pagefile Backed Memory Readable, Writable True False False
pagefile_0x0000000004f80000 0x04f80000 0x04f8ffff Pagefile Backed Memory Readable True False False
pagefile_0x0000000004f90000 0x04f90000 0x04f90fff Pagefile Backed Memory Readable, Writable True False False
private_0x0000000004fa0000 0x04fa0000 0x04fa6fff Private Memory Readable, Writable True True False
private_0x0000000004fb0000 0x04fb0000 0x04fb0fff Private Memory Readable, Writable True True False
private_0x0000000004fc0000 0x04fc0000 0x04fc0fff Private Memory Readable, Writable, Executable True True False
private_0x0000000004fd0000 0x04fd0000 0x04fd3fff Private Memory Readable, Writable True True False
private_0x0000000004fe0000 0x04fe0000 0x04fe0fff Private Memory Readable, Writable True True False
private_0x0000000004fe0000 0x04fe0000 0x04fe0fff Private Memory Readable, Writable True True False
private_0x0000000005000000 0x05000000 0x050fffff Private Memory Readable, Writable True True False
private_0x0000000005100000 0x05100000 0x051fffff Private Memory Readable, Writable True True False
locale.nls 0x05200000 0x052bdfff Memory Mapped File Readable False False False
private_0x00000000052c0000 0x052c0000 0x052fffff Private Memory Readable, Writable True True False
private_0x0000000005300000 0x05300000 0x0533ffff Private Memory Readable, Writable True True False
pagefile_0x0000000005340000 0x05340000 0x054c7fff Pagefile Backed Memory Readable True False False
imm32.dll 0x054d0000 0x054f9fff Memory Mapped File Readable False False False
private_0x00000000054d0000 0x054d0000 0x05644fff Private Memory Readable, Writable True True False
private_0x00000000054d0000 0x054d0000 0x0550ffff Private Memory Readable, Writable True True False
private_0x0000000005510000 0x05510000 0x0554ffff Private Memory Readable, Writable True True False
private_0x0000000005550000 0x05550000 0x0558ffff Private Memory Readable, Writable True True False
private_0x0000000005590000 0x05590000 0x055cffff Private Memory Readable, Writable True True False
private_0x00000000055e0000 0x055e0000 0x055e0fff Private Memory Readable, Writable True True False
private_0x00000000055f0000 0x055f0000 0x055f3fff Private Memory Readable, Writable True True False
private_0x0000000005600000 0x05600000 0x0563ffff Private Memory Readable, Writable True True False
private_0x0000000005640000 0x05640000 0x05644fff Private Memory Readable, Writable True True False
private_0x0000000005650000 0x05650000 0x0584ffff Private Memory Readable, Writable True True False
private_0x0000000005650000 0x05650000 0x0568ffff Private Memory Readable, Writable True True False
private_0x0000000005690000 0x05690000 0x056cffff Private Memory Readable, Writable True True False
private_0x0000000005700000 0x05700000 0x057fffff Private Memory Readable, Writable True True False
pagefile_0x0000000005800000 0x05800000 0x05980fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000005990000 0x05990000 0x06d8ffff Pagefile Backed Memory Readable True False False
private_0x0000000006d90000 0x06d90000 0x06dcffff Private Memory Readable, Writable True True False
private_0x0000000006de0000 0x06de0000 0x06de1fff Private Memory Readable, Writable True True False
private_0x0000000006de0000 0x06de0000 0x06de1fff Private Memory Readable, Writable True True False
private_0x0000000006de0000 0x06de0000 0x06de1fff Private Memory Readable, Writable True True False
private_0x0000000006de0000 0x06de0000 0x06de1fff Private Memory Readable, Writable True True False
private_0x0000000006de0000 0x06de0000 0x06df6fff Private Memory Readable, Writable True True False
private_0x0000000006de0000 0x06de0000 0x06df5fff Private Memory Readable, Writable True True False
private_0x0000000006de0000 0x06de0000 0x06df5fff Private Memory Readable, Writable True True False
private_0x0000000006de0000 0x06de0000 0x06df5fff Private Memory Readable, Writable True True False
private_0x0000000006de0000 0x06de0000 0x06df5fff Private Memory Readable, Writable True True False
private_0x0000000006de0000 0x06de0000 0x06df5fff Private Memory Readable, Writable True True False
private_0x0000000006de0000 0x06de0000 0x06df5fff Private Memory Readable, Writable True True False
private_0x0000000006de0000 0x06de0000 0x06df5fff Private Memory Readable, Writable True True False
private_0x0000000006de0000 0x06de0000 0x06df5fff Private Memory Readable, Writable True True False
private_0x0000000006de0000 0x06de0000 0x06df5fff Private Memory Readable, Writable True True False
private_0x0000000006e00000 0x06e00000 0x06efffff Private Memory Readable, Writable True True False
sortdefault.nls 0x06f00000 0x07236fff Memory Mapped File Readable False False False
private_0x0000000007240000 0x07240000 0x0733ffff Private Memory Readable, Writable True True False
private_0x0000000007340000 0x07340000 0x0743ffff Private Memory Readable, Writable True True False
private_0x0000000007440000 0x07440000 0x0753ffff Private Memory Readable, Writable True True False
private_0x0000000007540000 0x07540000 0x0763ffff Private Memory Readable, Writable True True False
private_0x0000000007640000 0x07640000 0x0773ffff Private Memory Readable, Writable True True False
private_0x0000000007740000 0x07740000 0x0783ffff Private Memory Readable, Writable True True False
private_0x0000000007840000 0x07840000 0x0793ffff Private Memory Readable, Writable True True False
private_0x0000000007940000 0x07940000 0x07a14fff Private Memory Readable, Writable True True False
private_0x0000000007940000 0x07940000 0x0797ffff Private Memory Readable, Writable True True False
private_0x0000000007980000 0x07980000 0x079bffff Private Memory Readable, Writable True True False
private_0x00000000079c0000 0x079c0000 0x079fffff Private Memory Readable, Writable True True False
private_0x0000000007a10000 0x07a10000 0x07a14fff Private Memory Readable, Writable True True False
private_0x0000000007a20000 0x07a20000 0x07c1ffff Private Memory Readable, Writable True True False
private_0x0000000007a20000 0x07a20000 0x07a5ffff Private Memory Readable, Writable True True False
private_0x0000000007a60000 0x07a60000 0x07a9ffff Private Memory Readable, Writable True True False
private_0x0000000007a60000 0x07a60000 0x07a9ffff Private Memory Readable, Writable True True False
private_0x0000000007aa0000 0x07aa0000 0x07adffff Private Memory Readable, Writable True True False
private_0x0000000007aa0000 0x07aa0000 0x07adffff Private Memory Readable, Writable True True False
private_0x0000000007b00000 0x07b00000 0x07bfffff Private Memory Readable, Writable True True False
ole32.dll 0x07c00000 0x07ce8fff Memory Mapped File Readable False False False
private_0x0000000007c00000 0x07c00000 0x07cfffff Private Memory Readable, Writable True True False
private_0x0000000007d00000 0x07d00000 0x07d3ffff Private Memory Readable, Writable True True False
private_0x0000000007d40000 0x07d40000 0x07d7ffff Private Memory Readable, Writable True True False
wow64cpu.dll 0x5c9f0000 0x5c9f7fff Memory Mapped File Readable, Writable, Executable False False False
wow64win.dll 0x5ca00000 0x5ca72fff Memory Mapped File Readable, Writable, Executable False False False
wow64.dll 0x5ca80000 0x5cacefff Memory Mapped File Readable, Writable, Executable False False False
wininet.dll 0x725c0000 0x727e3fff Memory Mapped File Readable, Writable, Executable False False False
dnsapi.dll 0x72d40000 0x72dc3fff Memory Mapped File Readable, Writable, Executable False False False
mswsock.dll 0x72e80000 0x72ecdfff Memory Mapped File Readable, Writable, Executable False False False
ondemandconnroutehelper.dll 0x72ed0000 0x72ee0fff Memory Mapped File Readable, Writable, Executable False False False
winhttp.dll 0x72ef0000 0x72f96fff Memory Mapped File Readable, Writable, Executable False False False
ntmarta.dll 0x731f0000 0x73217fff Memory Mapped File Readable, Writable, Executable False False False
winnsi.dll 0x73270000 0x73277fff Memory Mapped File Readable, Writable, Executable False False False
iphlpapi.dll 0x73350000 0x7337ffff Memory Mapped File Readable, Writable, Executable False False False
rsaenh.dll 0x733b0000 0x733defff Memory Mapped File Readable, Writable, Executable False False False
cryptsp.dll 0x733e0000 0x733f2fff Memory Mapped File Readable, Writable, Executable False False False
uxtheme.dll 0x73430000 0x734a4fff Memory Mapped File Readable, Writable, Executable False False False
bcrypt.dll 0x73550000 0x7356afff Memory Mapped File Readable, Writable, Executable False False False
iertutil.dll 0x73570000 0x73830fff Memory Mapped File Readable, Writable, Executable False False False
urlmon.dll 0x738d0000 0x73a2ffff Memory Mapped File Readable, Writable, Executable False False False
secur32.dll 0x73c40000 0x73c49fff Memory Mapped File Readable, Writable, Executable False False False
bcryptprimitives.dll 0x74230000 0x74288fff Memory Mapped File Readable, Writable, Executable False False False
cryptbase.dll 0x74290000 0x74299fff Memory Mapped File Readable, Writable, Executable False False False
sspicli.dll 0x742a0000 0x742bdfff Memory Mapped File Readable, Writable, Executable False False False
user32.dll 0x74500000 0x7463ffff Memory Mapped File Readable, Writable, Executable False False False
imm32.dll 0x74730000 0x7475afff Memory Mapped File Readable, Writable, Executable False False False
shell32.dll 0x74760000 0x75b1efff Memory Mapped File Readable, Writable, Executable False False False
msvcrt.dll 0x75b80000 0x75c3dfff Memory Mapped File Readable, Writable, Executable False False False
powrprof.dll 0x75c40000 0x75c83fff Memory Mapped File Readable, Writable, Executable False False False
advapi32.dll 0x75d40000 0x75dbafff Memory Mapped File Readable, Writable, Executable False False False
shlwapi.dll 0x75dc0000 0x75e03fff Memory Mapped File Readable, Writable, Executable False False False
rpcrt4.dll 0x75e70000 0x75f1bfff Memory Mapped File Readable, Writable, Executable False False False
kernelbase.dll 0x75f20000 0x76095fff Memory Mapped File Readable, Writable, Executable False False False
sechost.dll 0x760a0000 0x760e2fff Memory Mapped File Readable, Writable, Executable False False False
shcore.dll 0x76280000 0x7630cfff Memory Mapped File Readable, Writable, Executable False False False
oleaut32.dll 0x763b0000 0x76441fff Memory Mapped File Readable, Writable, Executable False False False
psapi.dll 0x76450000 0x76455fff Memory Mapped File Readable, Writable, Executable False False False
ws2_32.dll 0x76470000 0x764cbfff Memory Mapped File Readable, Writable, Executable False False False
windows.storage.dll 0x764d0000 0x769acfff Memory Mapped File Readable, Writable, Executable False False False
gdi32.dll 0x769b0000 0x76afcfff Memory Mapped File Readable, Writable, Executable False False False
kernel32.dll 0x76bc0000 0x76caffff Memory Mapped File Readable, Writable, Executable False False False
combase.dll 0x76cf0000 0x76ea9fff Memory Mapped File Readable, Writable, Executable False False False
kernel.appcore.dll 0x76eb0000 0x76ebbfff Memory Mapped File Readable, Writable, Executable False False False
crypt32.dll 0x76ec0000 0x77034fff Memory Mapped File Readable, Writable, Executable False False False
nsi.dll 0x77040000 0x77046fff Memory Mapped File Readable, Writable, Executable False False False
profapi.dll 0x77050000 0x7705efff Memory Mapped File Readable, Writable, Executable False False False
msasn1.dll 0x77060000 0x7706dfff Memory Mapped File Readable, Writable, Executable False False False
msctf.dll 0x77070000 0x7718ffff Memory Mapped File Readable, Writable, Executable False False False
ntdll.dll 0x77190000 0x77308fff Memory Mapped File Readable, Writable, Executable False False False
private_0x000000007e92f000 0x7e92f000 0x7e931fff Private Memory Readable, Writable True True False
private_0x000000007e932000 0x7e932000 0x7e934fff Private Memory Readable, Writable True True False
private_0x000000007e932000 0x7e932000 0x7e934fff Private Memory Readable, Writable True True False
private_0x000000007e935000 0x7e935000 0x7e937fff Private Memory Readable, Writable True True False
private_0x000000007e938000 0x7e938000 0x7e93afff Private Memory Readable, Writable True True False
private_0x000000007e93b000 0x7e93b000 0x7e93dfff Private Memory Readable, Writable True True False
private_0x000000007e93e000 0x7e93e000 0x7e940fff Private Memory Readable, Writable True True False
private_0x000000007e941000 0x7e941000 0x7e943fff Private Memory Readable, Writable True True False
private_0x000000007e944000 0x7e944000 0x7e946fff Private Memory Readable, Writable True True False
private_0x000000007e947000 0x7e947000 0x7e949fff Private Memory Readable, Writable True True False
private_0x000000007e94a000 0x7e94a000 0x7e94cfff Private Memory Readable, Writable True True False
private_0x000000007e94d000 0x7e94d000 0x7e94ffff Private Memory Readable, Writable True True False
pagefile_0x000000007e950000 0x7e950000 0x7ea4ffff Pagefile Backed Memory Readable True False False
pagefile_0x000000007ea50000 0x7ea50000 0x7ea72fff Pagefile Backed Memory Readable True False False
private_0x000000007ea74000 0x7ea74000 0x7ea76fff Private Memory Readable, Writable True True False
private_0x000000007ea77000 0x7ea77000 0x7ea77fff Private Memory Readable, Writable True True False
private_0x000000007ea79000 0x7ea79000 0x7ea79fff Private Memory Readable, Writable True True False
private_0x000000007ea7a000 0x7ea7a000 0x7ea7cfff Private Memory Readable, Writable True True False
private_0x000000007ea7a000 0x7ea7a000 0x7ea7cfff Private Memory Readable, Writable True True False
private_0x000000007ea7d000 0x7ea7d000 0x7ea7ffff Private Memory Readable, Writable True True False
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True True False
private_0x000000007fff0000 0x7fff0000 0x7dfb3d30ffff Private Memory Readable True False False
pagefile_0x00007dfb3d310000 0x7dfb3d310000 0x7ffb3d30ffff Pagefile Backed Memory - True False False
ntdll.dll 0x7ffb3d310000 0x7ffb3d4d1fff Memory Mapped File Readable, Writable, Executable False False False
private_0x00007ffb3d4d2000 0x7ffb3d4d2000 0x7ffffffeffff Private Memory Readable True False False
For performance reasons, the remaining 24 entries are omitted.
The remaining entries can be found in flog.txt.
Injection Information
+
Injection Type Source Process Source Os Thread ID Injection Info Success Count Logfile
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\containers.exe 0xd30 address = 0x4f00000, size = 131072 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\containers.exe 0xd30 address = 0x4f1b6a4, size = 4 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\containers.exe 0xd30 address = 0x4f1b7c0, size = 4 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\containers.exe 0xd30 address = 0x4f1bdb4, size = 4 True 1
Fn
Data
Create Remote Thread #2: c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\containers.exe 0xd30 address = 0x4f0b50c True 1
Fn
Created Files
+
Filename File Size Hash Values YARA Match Actions
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.tmp 1.55 KB (1587 bytes) MD5: c8d692d45464cec7ac72a410014618a1
SHA1: 86337fe9402384748c740602d8f5b196da4f42fc
SHA256: c38850622b4e8f39f63f32a390f9c6ae6dbd995f97f915010feb352d9ac315f5
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.tmp 13.88 KB (14217 bytes) MD5: 6ad3a7538b8a7b4760beb75c29cc549e
SHA1: 6bce6136b2e7583a73a6729ea55e8a357c5109b9
SHA256: dcc29c6c645904bf50cc3269e20dd52d2c7264c02fd4abaf3bf45ff90d735282
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.tmp 4.10 KB (4197 bytes) MD5: 77f0193e8f6be3517577f1e1eda545be
SHA1: 555b8e0d22e10e617564bf02fd3b7c3e82a8748f
SHA256: 2a8ae96bde02e0862c3bae8bb8489d3f480e3eba6c9b24ca64ed106ce09c96b5
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.tmp 66.83 KB (68433 bytes) MD5: 74cfc4d8677f142d44a5bc2e62fbbb76
SHA1: 9a844e74f70fa704f220dc17d1cd106edd178af5
SHA256: 6256c08a18c462914fdd78b08afc4507b6cb5317c2a9c309d332594bd28fb6c8
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.tmp 7.15 KB (7323 bytes) MD5: 29670c5d286f19a05daaa33a87b3d3df
SHA1: 472724fd66d7a23bfdcba8dd651256da68dc042f
SHA256: c4ea6c33939d89e1a00f96ba432c2c50822faa11d55ff19fb75d305aa1730d61
False
Modified Files
+
Filename File Size Hash Values YARA Match Actions
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\nieo_glbfe5pi.qef 1.64 KB (1680 bytes) MD5: 19e41a9bbee8b943fbffb11b43e91c6a
SHA1: 6d982ea6d2f07cb2241e397d556491196500013a
SHA256: 6e00e3dcb22d69648583f51e3192a927412f4d7ab2be7f0c36210e47a71f81c4
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\kinto.pyi 29.81 KB (30528 bytes) MD5: e9a283db6371a73a5c62a14e2c170aa8
SHA1: cddebb3cd338765b636e0a08630d7c016a6ac307
SHA256: 3bab6a563dcf574fec0f6098c360456b5f87ecc938e3719d130bb956ec9c6f2e
False
c:\users\ciihmnxmn6ps\appdata\local\microsoft\windows\inetcache\ie\gy9r3u9a\q[1].htm 35.19 KB (36032 bytes) MD5: 38d28878b89fff302cf61231e0c56f47
SHA1: cff27aba9e63e9f7566ccda457568cbb5d9076b4
SHA256: 3c8117aee6d62bbd70e0674d4d98625d5898351ad8735a1372fbcfe404b3d834
False
c:\users\ciihmnxmn6ps\appdata\local\microsoft\windows\inetcache\ie\gy9r3u9a\q[1].htm 0.19 KB (192 bytes) MD5: d7777a87cd48a2d3e8fd357148599a53
SHA1: f8b193a8c47e0402a41df81217608ad8c76a4fa8
SHA256: 46e1e998d8a31877f770db765fc7c7b615c32c6ee59a155cc95cc77f1435057d
False
c:\users\ciihmnxmn6ps\appdata\local\microsoft\windows\inetcache\counters.dat 0.12 KB (128 bytes) MD5: d32d9269e9f78068b6c017d4f998d520
SHA1: 668b7f045d05589bab466d34bcb38ee4adc9b078
SHA256: db1e009e0ee178d96b318856cfcff37737e185bef0c7990a464ba0cd8df1a8b6
False
Host Behavior
File (388)
+
Operation Filename Additional Information Success Count Logfile
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\niEo_GlbFe5Pi.qef desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\niEo_GlbFe5Pi.qef desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\niEo_GlbFe5Pi.qef desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\niEo_GlbFe5Pi.qef desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\containers.exe desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 9
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 9
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\niEo_GlbFe5Pi.qef desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 5
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\niEo_GlbFe5Pi.qef desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\niEo_GlbFe5Pi.qef desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 3
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 3
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\niEo_GlbFe5Pi.qef desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\niEo_GlbFe5Pi.qef desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 4
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 4
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\kinto.pyi desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create Pipe \device\namedpipe\e7cb4c13c5ff510208fe9abc26bb5b59 open_mode = PIPE_ACCESS_INBOUND, PIPE_ACCESS_OUTBOUND, FILE_FLAG_OVERLAPPED, max_instances = 255 True 1
Fn
Get Info C:\Users type = file_attributes True 23
Fn
Get Info C:\Users\CIiHmnxMn6Ps type = file_attributes True 23
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData type = file_attributes True 23
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming type = file_attributes True 23
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia type = file_attributes True 23
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player type = file_attributes True 23
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com type = file_attributes True 23
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support type = file_attributes True 23
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer type = file_attributes True 23
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys type = file_attributes True 23
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix type = size, size_out = 521 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\niEo_GlbFe5Pi.qef type = size, size_out = 0 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\niEo_GlbFe5Pi.qef type = size, size_out = 0 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix type = size, size_out = 1088 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\niEo_GlbFe5Pi.qef type = size, size_out = 0 True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\niEo_GlbFe5Pi.qef type = size, size_out = 0 True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.tmp type = file_attributes False 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix type = file_attributes True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix type = size, size_out = 1088 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix type = size, size_out = 1370 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix type = size, size_out = 0 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\containers.exe type = size, size_out = 404480 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix type = size, size_out = 254 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\niEo_GlbFe5Pi.qef type = size, size_out = 0 True 5
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix type = size, size_out = 503 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix type = size, size_out = 734 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix type = size, size_out = 983 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\niEo_GlbFe5Pi.qef type = size, size_out = 0 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix type = size, size_out = 1214 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix type = size, size_out = 1461 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix type = size, size_out = 1734 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\niEo_GlbFe5Pi.qef type = size, size_out = 0 True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix type = size, size_out = 1965 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix type = size, size_out = 2780 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix type = size, size_out = 3011 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix type = size, size_out = 3259 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix type = size, size_out = 3490 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix type = size, size_out = 3738 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix type = size, size_out = 3969 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\niEo_GlbFe5Pi.qef type = size, size_out = 0 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix type = size, size_out = 4218 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix type = size, size_out = 4449 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix type = size, size_out = 4663 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix type = size, size_out = 4943 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix type = size, size_out = 5210 True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.tmp source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix True 1
Fn
Read C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix size = 521, size_out = 521 True 1
Fn
Data
Read C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix size = 1088, size_out = 1088 True 1
Fn
Data
Read C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix size = 1370, size_out = 1370 True 1
Fn
Data
Read C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\containers.exe size = 404480, size_out = 404480 True 1
Fn
Data
Read C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix size = 254, size_out = 254 True 1
Fn
Data
Read C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix size = 503, size_out = 503 True 1
Fn
Data
Read C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix size = 734, size_out = 734 True 1
Fn
Data
Read C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix size = 983, size_out = 983 True 1
Fn
Data
Read C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix size = 1214, size_out = 1214 True 1
Fn
Data
Read C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix size = 1461, size_out = 1461 True 1
Fn
Data
Read C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix size = 1734, size_out = 1734 True 1
Fn
Data
Read C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix size = 1965, size_out = 1965 True 1
Fn
Data
Read C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix size = 2780, size_out = 2780 True 1
Fn
Data
Read C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix size = 3011, size_out = 3011 True 1
Fn
Data
Read C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix size = 3259, size_out = 3259 True 1
Fn
Data
Read C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix size = 3490, size_out = 3490 True 1
Fn
Data
Read C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix size = 3738, size_out = 3738 True 1
Fn
Data
Read C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix size = 3969, size_out = 3969 True 1
Fn
Data
Read C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix size = 4218, size_out = 4218 True 1
Fn
Data
Read C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix size = 4449, size_out = 4449 True 1
Fn
Data
Read C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix size = 4663, size_out = 4663 True 1
Fn
Data
Read C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix size = 4943, size_out = 4943 True 1
Fn
Data
Read C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix size = 5210, size_out = 5210 True 1
Fn
Data
Write C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix size = 1088 True 1
Fn
Data
Write C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix size = 1370 True 1
Fn
Data
Write C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix size = 1587 True 1
Fn
Data
Write C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix size = 254 True 1
Fn
Data
Write C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix size = 503 True 1
Fn
Data
Write C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix size = 734 True 1
Fn
Data
Write C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix size = 983 True 1
Fn
Data
Write C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix size = 1214 True 1
Fn
Data
Write C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix size = 1461 True 1
Fn
Data
Write C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix size = 1734 True 1
Fn
Data
Write C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix size = 1965 True 1
Fn
Data
Write C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix size = 2213 True 1
Fn
Data
Write C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix size = 3011 True 1
Fn
Data
Write C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix size = 3259 True 1
Fn
Data
Write C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix size = 3490 True 1
Fn
Data
Write C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix size = 3738 True 1
Fn
Data
Write C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix size = 3969 True 1
Fn
Data
Write C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix size = 4218 True 1
Fn
Data
Write C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix size = 4449 True 1
Fn
Data
Write C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\niEo_GlbFe5Pi.qef size = 1680 True 1
Fn
Data
Write C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix size = 4663 True 1
Fn
Data
Write C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix size = 4943 True 1
Fn
Data
Write C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix size = 5210 True 1
Fn
Data
Write C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\kinto.pyi size = 30528 True 1
Fn
Data
Write C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix size = 5435 True 1
Fn
Data
Registry (95)
+
Operation Key Additional Information Success Count Logfile
Create Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi - True 1
Fn
Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows\Currentversion\Run - True 1
Fn
Create Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi - True 1
Fn
Create Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi - True 3
Fn
Open Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi - True 1
Fn
Open Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi - True 2
Fn
Open Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi - True 3
Fn
Open Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi - True 2
Fn
Open Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi - True 1
Fn
Open Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi - True 1
Fn
Open Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi - True 9
Fn
Open Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi - True 1
Fn
Open Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi - True 4
Fn
Open Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi - True 3
Fn
Open Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi - True 3
Fn
Open Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi - True 3
Fn
Read Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi value_name = Axoha, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi value_name = Uzapze, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi value_name = Axoha, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi value_name = Axoha, type = REG_NONE False 2
Fn
Read Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi value_name = Uzapze, type = REG_BINARY True 2
Fn
Data
Read Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi value_name = Axoha, type = REG_NONE False 2
Fn
Read Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi value_name = Uzapze, type = REG_BINARY True 2
Fn
Data
Read Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi value_name = Uzapze, type = REG_BINARY True 2
Fn
Data
Read Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi value_name = Axoha, type = REG_NONE False 5
Fn
Read Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi value_name = Uzapze, type = REG_BINARY True 8
Fn
Data
Read Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi value_name = Axoha, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi value_name = Uzapze, type = REG_BINARY True 4
Fn
Data
Read Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi value_name = Axoha, type = REG_NONE False 2
Fn
Read Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi value_name = Uzapze, type = REG_BINARY True 4
Fn
Data
Read Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi value_name = Axoha, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi value_name = Uzapze, type = REG_BINARY True 6
Fn
Data
Read Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi value_name = Axoha, type = REG_BINARY True 4
Fn
Data
Read Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi value_name = Uzapze, type = REG_BINARY True 2
Fn
Data
Write Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi value_name = Uzapze, size = 1776, type = REG_BINARY True 1
Fn
Data
Write Value HKEY_CURRENT_USER\Software\Microsoft\Windows\Currentversion\Run value_name = containers.exe, data = "C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\containers.exe", size = 236, type = REG_SZ True 1
Fn
Write Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi value_name = Axoha, size = 1680, type = REG_BINARY True 1
Fn
Data
Write Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi value_name = Uzapze, size = 1776, type = REG_BINARY True 3
Fn
Data
Process (487)
+
Operation Process Additional Information Success Count Logfile
Open System desired_access = PROCESS_QUERY_INFORMATION False 10
Fn
Open c:\windows\system32\smss.exe desired_access = PROCESS_QUERY_INFORMATION False 10
Fn
Open c:\windows\system32\csrss.exe desired_access = PROCESS_QUERY_INFORMATION False 10
Fn
Open c:\windows\system32\wininit.exe desired_access = PROCESS_QUERY_INFORMATION False 10
Fn
Open c:\windows\system32\csrss.exe desired_access = PROCESS_QUERY_INFORMATION False 10
Fn
Open c:\windows\system32\winlogon.exe desired_access = PROCESS_QUERY_INFORMATION False 10
Fn
Open c:\windows\system32\services.exe desired_access = PROCESS_QUERY_INFORMATION False 10
Fn
Open c:\windows\system32\lsass.exe desired_access = PROCESS_QUERY_INFORMATION False 10
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_QUERY_INFORMATION False 10
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_QUERY_INFORMATION False 10
Fn
Open c:\windows\system32\dwm.exe desired_access = PROCESS_QUERY_INFORMATION False 10
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_QUERY_INFORMATION False 10
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_QUERY_INFORMATION False 10
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_QUERY_INFORMATION False 10
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_QUERY_INFORMATION False 10
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_QUERY_INFORMATION False 10
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_QUERY_INFORMATION False 10
Fn
Open c:\windows\system32\spoolsv.exe desired_access = PROCESS_QUERY_INFORMATION False 10
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_QUERY_INFORMATION False 10
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_QUERY_INFORMATION False 10
Fn
Open c:\program files\common files\microsoft shared\clicktorun\officeclicktorun.exe desired_access = PROCESS_QUERY_INFORMATION False 10
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_QUERY_INFORMATION False 10
Fn
Open c:\windows\system32\sihost.exe desired_access = PROCESS_QUERY_INFORMATION True 4
Fn
Open c:\windows\system32\taskhostw.exe desired_access = PROCESS_QUERY_INFORMATION True 4
Fn
Open c:\windows\explorer.exe desired_access = PROCESS_QUERY_INFORMATION True 4
Fn
Open c:\windows\system32\runtimebroker.exe desired_access = PROCESS_QUERY_INFORMATION True 4
Fn
Open c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe desired_access = PROCESS_QUERY_INFORMATION True 4
Fn
Open c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe desired_access = PROCESS_QUERY_INFORMATION True 4
Fn
Open c:\program files\microsoft office\root\office16\onenotem.exe desired_access = PROCESS_QUERY_INFORMATION True 4
Fn
Open c:\program files (x86)\common files\adobe\arm\1.0\adobearm.exe desired_access = PROCESS_QUERY_INFORMATION True 2
Fn
Open c:\program files (x86)\windows sidebar\positionflood.exe desired_access = PROCESS_QUERY_INFORMATION True 4
Fn
Open c:\program files\microsoft office\inquiries_ist.exe desired_access = PROCESS_QUERY_INFORMATION True 4
Fn
Open c:\program files\internet explorer\plannerdevelopersflu.exe desired_access = PROCESS_QUERY_INFORMATION True 4
Fn
Open c:\program files (x86)\reference assemblies\diagram_columns.exe desired_access = PROCESS_QUERY_INFORMATION True 4
Fn
Open c:\program files (x86)\google\stevenportland.exe desired_access = PROCESS_QUERY_INFORMATION True 4
Fn
Open c:\program files\windows mail\leisure.exe desired_access = PROCESS_QUERY_INFORMATION True 4
Fn
Open c:\program files (x86)\mozilla firefox\radar-reno.exe desired_access = PROCESS_QUERY_INFORMATION True 4
Fn
Open c:\program files (x86)\windows sidebar\chemistry.exe desired_access = PROCESS_QUERY_INFORMATION True 4
Fn
Open c:\windows\system32\taskhostw.exe desired_access = PROCESS_QUERY_INFORMATION True 4
Fn
Open c:\program files (x86)\mozilla maintenance service\trinidad randy margaret opposition.exe desired_access = PROCESS_QUERY_INFORMATION True 4
Fn
Open c:\program files\windows journal\mercedes_pretty.exe desired_access = PROCESS_QUERY_INFORMATION True 4
Fn
Open c:\program files\microsoft office\root\office16\msoia.exe desired_access = PROCESS_QUERY_INFORMATION True 4
Fn
Open c:\program files\microsoft office\shown_step_throwing_kyle.exe desired_access = PROCESS_QUERY_INFORMATION True 4
Fn
Open c:\program files\windows portable devices\importedremarkembedded.exe desired_access = PROCESS_QUERY_INFORMATION True 4
Fn
Open c:\program files (x86)\mozilla maintenance service\jumping-missions-housewares.exe desired_access = PROCESS_QUERY_INFORMATION True 4
Fn
Open c:\program files (x86)\microsoft.net\geniuswalkedhiking.exe desired_access = PROCESS_QUERY_INFORMATION True 4
Fn
Open c:\program files\windows media player\snow.exe desired_access = PROCESS_QUERY_INFORMATION True 4
Fn
Open c:\program files (x86)\adobe\crack_neighbor.exe desired_access = PROCESS_QUERY_INFORMATION True 4
Fn
Open c:\program files\common files\construction ranging generation.exe desired_access = PROCESS_QUERY_INFORMATION True 4
Fn
Open c:\program files (x86)\common files\rear worse activities shared.exe desired_access = PROCESS_QUERY_INFORMATION True 4
Fn
Open c:\program files (x86)\mozilla firefox\dimensional.exe desired_access = PROCESS_QUERY_INFORMATION True 4
Fn
Open c:\program files (x86)\windows media player\diversity_lincoln_vol_chapter.exe desired_access = PROCESS_QUERY_INFORMATION True 4
Fn
Open c:\windows\system32\audiodg.exe desired_access = PROCESS_QUERY_INFORMATION False 3
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_QUERY_INFORMATION True 4
Fn
Open c:\windows\system32\msiexec.exe desired_access = PROCESS_QUERY_INFORMATION False 3
Fn
Open c:\program files (x86)\common files\adobe\arm\1.0\armsvc.exe desired_access = PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\program files (x86)\common files\adobe\arm\1.0\temp\600643214\adobearmhelper.exe desired_access = PROCESS_QUERY_INFORMATION False 2
Fn
Open c:\windows\syswow64\msiexec.exe desired_access = PROCESS_QUERY_INFORMATION False 2
Fn
Open c:\windows\syswow64\svchost.exe desired_access = PROCESS_QUERY_INFORMATION True 4
Fn
Open c:\windows\system32\sihost.exe desired_access = PROCESS_QUERY_INFORMATION True 10
Fn
Open c:\windows\system32\taskhostw.exe desired_access = PROCESS_QUERY_INFORMATION True 4
Fn
Open c:\windows\explorer.exe desired_access = PROCESS_QUERY_INFORMATION True 4
Fn
Open c:\windows\system32\runtimebroker.exe desired_access = PROCESS_QUERY_INFORMATION True 4
Fn
Open c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe desired_access = PROCESS_QUERY_INFORMATION True 4
Fn
Open c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe desired_access = PROCESS_QUERY_INFORMATION True 4
Fn
Open c:\program files\microsoft office\root\office16\onenotem.exe desired_access = PROCESS_QUERY_INFORMATION True 4
Fn
Open c:\program files (x86)\windows sidebar\positionflood.exe desired_access = PROCESS_QUERY_INFORMATION True 4
Fn
Open c:\program files\microsoft office\inquiries_ist.exe desired_access = PROCESS_QUERY_INFORMATION True 4
Fn
Open c:\program files\internet explorer\plannerdevelopersflu.exe desired_access = PROCESS_QUERY_INFORMATION True 4
Fn
Open c:\program files (x86)\reference assemblies\diagram_columns.exe desired_access = PROCESS_QUERY_INFORMATION True 4
Fn
Open c:\program files (x86)\google\stevenportland.exe desired_access = PROCESS_QUERY_INFORMATION True 4
Fn
Open c:\program files\windows mail\leisure.exe desired_access = PROCESS_QUERY_INFORMATION True 4
Fn
Open c:\program files (x86)\mozilla firefox\radar-reno.exe desired_access = PROCESS_QUERY_INFORMATION True 4
Fn
Open c:\program files (x86)\windows sidebar\chemistry.exe desired_access = PROCESS_QUERY_INFORMATION True 4
Fn
Open c:\windows\system32\taskhostw.exe desired_access = PROCESS_QUERY_INFORMATION True 4
Fn
Open c:\program files (x86)\mozilla maintenance service\trinidad randy margaret opposition.exe desired_access = PROCESS_QUERY_INFORMATION True 4
Fn
Open c:\program files\windows journal\mercedes_pretty.exe desired_access = PROCESS_QUERY_INFORMATION True 4
Fn
Open c:\program files\microsoft office\root\office16\msoia.exe desired_access = PROCESS_QUERY_INFORMATION True 4
Fn
Open c:\program files\microsoft office\shown_step_throwing_kyle.exe desired_access = PROCESS_QUERY_INFORMATION True 4
Fn
Open c:\program files\windows portable devices\importedremarkembedded.exe desired_access = PROCESS_QUERY_INFORMATION True 4
Fn
Open c:\program files (x86)\mozilla maintenance service\jumping-missions-housewares.exe desired_access = PROCESS_QUERY_INFORMATION True 4
Fn
Open c:\program files (x86)\microsoft.net\geniuswalkedhiking.exe desired_access = PROCESS_QUERY_INFORMATION True 4
Fn
Open c:\program files\windows media player\snow.exe desired_access = PROCESS_QUERY_INFORMATION True 4
Fn
Open c:\program files (x86)\adobe\crack_neighbor.exe desired_access = PROCESS_QUERY_INFORMATION True 4
Fn
Open c:\program files\common files\construction ranging generation.exe desired_access = PROCESS_QUERY_INFORMATION True 4
Fn
Open c:\program files (x86)\common files\rear worse activities shared.exe desired_access = PROCESS_QUERY_INFORMATION True 4
Fn
Open c:\program files (x86)\mozilla firefox\dimensional.exe desired_access = PROCESS_QUERY_INFORMATION True 4
Fn
Open c:\program files (x86)\windows media player\diversity_lincoln_vol_chapter.exe desired_access = PROCESS_QUERY_INFORMATION True 3
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_QUERY_INFORMATION True 2
Fn
Open c:\windows\syswow64\svchost.exe desired_access = PROCESS_QUERY_INFORMATION True 2
Fn
Open c:\windows\syswow64\cmd.exe desired_access = PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\program files (x86)\common files\adobe\arm\1.0\adobearm.exe desired_access = PROCESS_QUERY_INFORMATION True 2
Fn
Open c:\program files (x86)\adobe\acrobat reader dc\reader\reader_sl.exe desired_access = PROCESS_QUERY_INFORMATION True 2
Fn
Module (40)
+
Operation Module Additional Information Success Count Logfile
Load KERNEL32.dll base_address = 0x76bc0000 True 1
Fn
Load USER32.dll base_address = 0x74500000 True 1
Fn
Load NTDLL base_address = 0x77190000 True 4
Fn
Load advapi32.dll base_address = 0x75d40000 True 1
Fn
Load shlwapi.dll base_address = 0x75dc0000 True 1
Fn
Load psapi.dll base_address = 0x76450000 True 1
Fn
Load secur32.dll base_address = 0x73c40000 True 1
Fn
Load SSPICLI base_address = 0x742a0000 True 1
Fn
Load wininet.dll base_address = 0x725c0000 True 1
Fn
Load crypt32.dll base_address = 0x76ec0000 True 1
Fn
Load urlmon.dll base_address = 0x738d0000 True 1
Fn
Get Handle advapi32.dll base_address = 0x0 False 1
Fn
Get Handle shlwapi.dll base_address = 0x0 False 1
Fn
Get Handle psapi.dll base_address = 0x0 False 1
Fn
Get Handle secur32.dll base_address = 0x0 False 1
Fn
Get Handle wininet.dll base_address = 0x0 False 1
Fn
Get Filename psapi.dll process_name = c:\windows\syswow64\svchost.exe, file_name_orig = C:\Windows\SysWOW64\svchost.exe, size = 260 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InterlockedExchange, address_out = 0x76bd7650 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapCreate, address_out = 0x76bd9950 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapFree, address_out = 0x76bd25e0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapReAlloc, address_out = 0x771cbae0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapAlloc, address_out = 0x771cda90 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapDestroy, address_out = 0x76bdd940 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetProcessHeap, address_out = 0x76bd7910 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InterlockedIncrement, address_out = 0x76bd7520 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleHandleA, address_out = 0x76bd9640 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = Sleep, address_out = 0x76bd77b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LoadLibraryA, address_out = 0x76bdd8d0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LoadLibraryW, address_out = 0x76bda0b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetProcAddress, address_out = 0x76bd7940 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleHandleW, address_out = 0x76bd9660 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = LoadImageW, address_out = 0x74534500 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = RtlAddVectoredExceptionHandler, address_out = 0x771ef090 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = RtlInitializeCriticalSection, address_out = 0x771e95f0 True 1
Fn
Get Address c:\windows\syswow64\sspicli.dll function = GetUserNameExW, address_out = 0x742ac5f0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = RtlEnterCriticalSection, address_out = 0x771d5e80 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = RtlLeaveCriticalSection, address_out = 0x771d5e00 True 1
Fn
System (428)
+
Operation Additional Information Success Count Logfile
Sleep duration = -1 (infinite) False 2
Fn
Sleep duration = 300000 milliseconds (300.000 seconds) False 1
Fn
Sleep duration = -1 (infinite) True 44
Fn
Get Time type = Local Time, time = 2017-12-01 01:36:37 (Local Time) True 7
Fn
Get Time type = System Time, time = 2017-11-30 14:36:37 (UTC) True 20
Fn
Get Time type = System Time, time = 2017-11-30 14:36:38 (UTC) True 4
Fn
Get Time type = System Time, time = 2017-11-30 14:36:39 (UTC) True 1
Fn
Get Info type = Operating System False 329
Fn
Get Info type = SYSTEM_PROCESS_INFORMATION False 10
Fn
Get Info type = SYSTEM_PROCESS_INFORMATION True 10
Fn
Mutex (61)
+
Operation Additional Information Success Count Logfile
Create mutex_name = 8EB663269EDB2551D78D6BE980D8D1D5 True 1
Fn
Create mutex_name = BA375714EF21E8EC8F43FB71FA3700CC True 1
Fn
Create mutex_name = 3A05CFF4EB7DE2EF8F3985678370FA5D True 1
Fn
Create mutex_name = 99DCC4F63896BA52D9D5D3F7098E00E5 True 1
Fn
Create mutex_name = BA375714EF21E8EC8F43FB71FA3700CC True 1
Fn
Create mutex_name = 55A4DE17653FCFB535BFCEB7986C3B1D True 1
Fn
Create mutex_name = BA375714EF21E8EC8F43FB71FA3700CC True 1
Fn
Create mutex_name = 843724E431E9542E94836F8E62819404 True 1
Fn
Create mutex_name = BA375714EF21E8EC8F43FB71FA3700CC True 1
Fn
Create mutex_name = ACD86ED691154353041C7827C4241C0D True 1
Fn
Create mutex_name = BA6E0713253533C2BD32E023F51DAAB1 True 1
Fn
Create mutex_name = BA375714EF21E8EC8F43FB71FA3700CC True 1
Fn
Create mutex_name = BA375714EF21E8EC8F43FB71FA3700CC True 9
Fn
Create mutex_name = BA375714EF21E8EC8F43FB71FA3700CC True 1
Fn
Create mutex_name = BA375714EF21E8EC8F43FB71FA3700CC True 2
Fn
Create mutex_name = BA375714EF21E8EC8F43FB71FA3700CC True 3
Fn
Create mutex_name = 99DCC4F63896BA52D9D5D3F7098E00E5 True 2
Fn
Create mutex_name = BA375714EF21E8EC8F43FB71FA3700CC True 4
Fn
Release mutex_name = BA375714EF21E8EC8F43FB71FA3700CC True 1
Fn
Release mutex_name = 99DCC4F63896BA52D9D5D3F7098E00E5 True 1
Fn
Release mutex_name = BA375714EF21E8EC8F43FB71FA3700CC True 1
Fn
Release mutex_name = BA375714EF21E8EC8F43FB71FA3700CC True 1
Fn
Release mutex_name = BA375714EF21E8EC8F43FB71FA3700CC True 1
Fn
Release mutex_name = BA375714EF21E8EC8F43FB71FA3700CC True 1
Fn
Release mutex_name = BA375714EF21E8EC8F43FB71FA3700CC True 9
Fn
Release mutex_name = BA375714EF21E8EC8F43FB71FA3700CC True 1
Fn
Release mutex_name = BA375714EF21E8EC8F43FB71FA3700CC True 2
Fn
Release mutex_name = BA375714EF21E8EC8F43FB71FA3700CC True 3
Fn
Release mutex_name = 99DCC4F63896BA52D9D5D3F7098E00E5 True 3
Fn
Release mutex_name = BA375714EF21E8EC8F43FB71FA3700CC True 4
Fn
Network Behavior
HTTP Sessions (2)
+
Information Value
Total Data Sent 1.36 KB (1396 bytes)
Total Data Received 78.72 KB (80608 bytes)
Contacted Host Count 1
Contacted Hosts 330f35e9f647.loan
HTTP Session #1
+
Information Value
User Agent Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Server Name 330f35e9f647.loan
Server Port 443
Data Sent 0.69 KB (702 bytes)
Data Received 5.42 KB (5552 bytes)
Operations
Operation Additional Information Success Count Logfile
Open Session user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729), access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = HTTP, server_name = 330f35e9f647.loan, server_port = 443 True 1
Fn
Open HTTP Request http_verb = POST, http_version = HTTP 1.1, target_resource = /31F9UVfEun/0I1aalj/7QGREH4HU/RK/5rEg, accept_types = 82935808, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_HYPERLINK, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Send HTTP Request headers = Connection: close , url = 330f35e9f647.loan/31F9UVfEun/0I1aalj/7QGREH4HU/RK/5rEg False 1
Fn
Send HTTP Request headers = Connection: close , url = 330f35e9f647.loan/31F9UVfEun/0I1aalj/7QGREH4HU/RK/5rEg True 1
Fn
Data
Query HTTP Info flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 1
Fn
Data
Read Response size = 4096, size_out = 1452 True 1
Fn
Data
Read Response size = 4096, size_out = 0 True 1
Fn
Close Session - True 2
Fn
HTTP Session #2
+
Information Value
User Agent Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Server Name 330f35e9f647.loan
Server Port 443
Data Sent 0.68 KB (694 bytes)
Data Received 73.30 KB (75056 bytes)
Operations
Operation Additional Information Success Count Logfile
Open Session user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729), access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = HTTP, server_name = 330f35e9f647.loan, server_port = 443 True 1
Fn
Open HTTP Request http_verb = POST, http_version = HTTP 1.1, target_resource = /mtV/jshKPnn7S1/Vn/HMa/z/b-N/oK/Q, accept_types = 82935808, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_HYPERLINK, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Send HTTP Request headers = Connection: close , url = 330f35e9f647.loan/mtV/jshKPnn7S1/Vn/HMa/z/b-N/oK/Q False 1
Fn
Send HTTP Request headers = Connection: close , url = 330f35e9f647.loan/mtV/jshKPnn7S1/Vn/HMa/z/b-N/oK/Q True 1
Fn
Data
Query HTTP Info flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 3
Fn
Data
Read Response size = 4096, size_out = 3883 True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 12
Fn
Data
Read Response size = 4096, size_out = 4088 True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 1
Fn
Data
Read Response size = 4096, size_out = 1545 True 1
Fn
Data
Read Response size = 4096, size_out = 0 True 1
Fn
Close Session - True 2
Fn
Process #6: svchost.exe
(Host: 143, Network: 0)
+
Information Value
ID #6
File Name c:\windows\syswow64\svchost.exe
Command Line C:\Windows\SysWOW64\svchost.exe -k netsvcs
Initial Working Directory C:\Users\CIiHmnxMn6Ps\AppData\Roaming\
Monitor Start Time: 00:01:41, Reason: Child Process
Unmonitor End Time: 00:15:27, Reason: Terminated by Timeout
Monitor Duration 00:13:46
OS Process Information
+
Information Value
PID 0xea0
Parent PID 0xd34 (c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\containers.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username LHNIWSJ\CIiHmnxMn6Ps
Groups
  • LHNIWSJ\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Local account and member of Administrators group (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • BUILTIN\Administrators (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, OWNER)
  • BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Local account (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Logon Session 00000000:00013d92 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID)
  • LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x E88
0x B58
0x E80
0x FD4
0x FC4
0x FD0
0x D1C
0x C7C
0x C64
0x 8C8
Region
+
Name Start VA End VA Type Permissions Monitored Dump YARA Match Actions
svchost.exe 0x00370000 0x0037afff Memory Mapped File Readable, Writable, Executable False False False
pagefile_0x0000000000750000 0x00750000 0x0474ffff Pagefile Backed Memory - True False False
private_0x0000000004750000 0x04750000 0x0476ffff Private Memory Readable, Writable True True False
pagefile_0x0000000004750000 0x04750000 0x0475ffff Pagefile Backed Memory Readable, Writable True False False
svchost.exe.mui 0x04760000 0x04760fff Memory Mapped File Readable False False False
private_0x0000000004770000 0x04770000 0x04771fff Private Memory Readable, Writable True True False
private_0x0000000004770000 0x04770000 0x04770fff Private Memory Readable, Writable True True False
pagefile_0x0000000004780000 0x04780000 0x04793fff Pagefile Backed Memory Readable True False False
private_0x00000000047a0000 0x047a0000 0x047dffff Private Memory Readable, Writable True True False
private_0x00000000047e0000 0x047e0000 0x0481ffff Private Memory Readable, Writable True True False
pagefile_0x0000000004820000 0x04820000 0x04823fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000004830000 0x04830000 0x04830fff Pagefile Backed Memory Readable True False False
private_0x0000000004840000 0x04840000 0x04841fff Private Memory Readable, Writable True True False
private_0x0000000004850000 0x04850000 0x0486ffff Private Memory Readable, Writable, Executable True True False
private_0x0000000004870000 0x04870000 0x048affff Private Memory Readable, Writable True True False
private_0x0000000004870000 0x04870000 0x04871fff Private Memory Readable, Writable True True False
private_0x0000000004870000 0x04870000 0x04871fff Private Memory Readable, Writable True True False
private_0x0000000004870000 0x04870000 0x048d2fff Private Memory Readable, Writable True True False
private_0x00000000048b0000 0x048b0000 0x048effff Private Memory Readable, Writable True True False
private_0x00000000048f0000 0x048f0000 0x0492ffff Private Memory Readable, Writable True True False
imm32.dll 0x04930000 0x04959fff Memory Mapped File Readable False False False
private_0x0000000004930000 0x04930000 0x04930fff Private Memory Readable, Writable True True False
private_0x0000000004940000 0x04940000 0x04940fff Private Memory Readable, Writable, Executable True True False
private_0x0000000004950000 0x04950000 0x04950fff Private Memory Readable, Writable True True False
private_0x0000000004960000 0x04960000 0x04963fff Private Memory Readable, Writable True True False
private_0x0000000004990000 0x04990000 0x04996fff Private Memory Readable, Writable True True False
private_0x00000000049a0000 0x049a0000 0x049dffff Private Memory Readable, Writable True False False
private_0x0000000004a00000 0x04a00000 0x04afffff Private Memory Readable, Writable True True False
private_0x0000000004b00000 0x04b00000 0x04bfffff Private Memory Readable, Writable True True False
locale.nls 0x04c00000 0x04cbdfff Memory Mapped File Readable False False False
pagefile_0x0000000004cc0000 0x04cc0000 0x04e47fff Pagefile Backed Memory Readable True False False
private_0x0000000004e50000 0x04e50000 0x05004fff Private Memory Readable, Writable True True False
pagefile_0x0000000004e50000 0x04e50000 0x04fd0fff Pagefile Backed Memory Readable True False False
private_0x0000000005000000 0x05000000 0x05004fff Private Memory Readable, Writable True True False
private_0x0000000005010000 0x05010000 0x0520ffff Private Memory Readable, Writable True True False
private_0x0000000005030000 0x05030000 0x05033fff Private Memory Readable, Writable True True False
private_0x0000000005040000 0x05040000 0x0507ffff Private Memory Readable, Writable True False False
private_0x0000000005080000 0x05080000 0x050bffff Private Memory Readable, Writable True False False
private_0x00000000050c0000 0x050c0000 0x050fffff Private Memory Readable, Writable True False False
private_0x0000000005100000 0x05100000 0x051fffff Private Memory Readable, Writable True True False
pagefile_0x0000000005200000 0x05200000 0x065fffff Pagefile Backed Memory Readable True False False
private_0x0000000006600000 0x06600000 0x066fffff Private Memory Readable, Writable True True False
sortdefault.nls 0x06700000 0x06a36fff Memory Mapped File Readable False False False
private_0x0000000006a40000 0x06a40000 0x06b3ffff Private Memory Readable, Writable True False False
private_0x0000000006b40000 0x06b40000 0x06c3ffff Private Memory Readable, Writable True False False
private_0x0000000006c40000 0x06c40000 0x06d3ffff Private Memory Readable, Writable True False False
private_0x0000000006d40000 0x06d40000 0x06d7ffff Private Memory Readable, Writable True False False
private_0x0000000006d80000 0x06d80000 0x06e7ffff Private Memory Readable, Writable True False False
private_0x0000000006e80000 0x06e80000 0x06ebffff Private Memory Readable, Writable True False False
private_0x0000000006ec0000 0x06ec0000 0x06fbffff Private Memory Readable, Writable True False False
private_0x0000000006fc0000 0x06fc0000 0x06ffffff Private Memory Readable, Writable True False False
private_0x0000000007000000 0x07000000 0x070fffff Private Memory Readable, Writable True False False
wow64cpu.dll 0x5c9f0000 0x5c9f7fff Memory Mapped File Readable, Writable, Executable False False False
wow64win.dll 0x5ca00000 0x5ca72fff Memory Mapped File Readable, Writable, Executable False False False
wow64.dll 0x5ca80000 0x5cacefff Memory Mapped File Readable, Writable, Executable False False False
ntmarta.dll 0x731f0000 0x73217fff Memory Mapped File Readable, Writable, Executable False False False
rsaenh.dll 0x733b0000 0x733defff Memory Mapped File Readable, Writable, Executable False False False
cryptsp.dll 0x733e0000 0x733f2fff Memory Mapped File Readable, Writable, Executable False False False
bcrypt.dll 0x73550000 0x7356afff Memory Mapped File Readable, Writable, Executable False False False
secur32.dll 0x73c40000 0x73c49fff Memory Mapped File Readable, Writable, Executable False False False
bcryptprimitives.dll 0x74230000 0x74288fff Memory Mapped File Readable, Writable, Executable False False False
cryptbase.dll 0x74290000 0x74299fff Memory Mapped File Readable, Writable, Executable False False False
sspicli.dll 0x742a0000 0x742bdfff Memory Mapped File Readable, Writable, Executable False False False
user32.dll 0x74500000 0x7463ffff Memory Mapped File Readable, Writable, Executable False False False
imm32.dll 0x74730000 0x7475afff Memory Mapped File Readable, Writable, Executable False False False
msvcrt.dll 0x75b80000 0x75c3dfff Memory Mapped File Readable, Writable, Executable False False False
advapi32.dll 0x75d40000 0x75dbafff Memory Mapped File Readable, Writable, Executable False False False
shlwapi.dll 0x75dc0000 0x75e03fff Memory Mapped File Readable, Writable, Executable False False False
rpcrt4.dll 0x75e70000 0x75f1bfff Memory Mapped File Readable, Writable, Executable False False False
kernelbase.dll 0x75f20000 0x76095fff Memory Mapped File Readable, Writable, Executable False False False
sechost.dll 0x760a0000 0x760e2fff Memory Mapped File Readable, Writable, Executable False False False
psapi.dll 0x76450000 0x76455fff Memory Mapped File Readable, Writable, Executable False False False
gdi32.dll 0x769b0000 0x76afcfff Memory Mapped File Readable, Writable, Executable False False False
kernel32.dll 0x76bc0000 0x76caffff Memory Mapped File Readable, Writable, Executable False False False
combase.dll 0x76cf0000 0x76ea9fff Memory Mapped File Readable, Writable, Executable False False False
msctf.dll 0x77070000 0x7718ffff Memory Mapped File Readable, Writable, Executable False False False
ntdll.dll 0x77190000 0x77308fff Memory Mapped File Readable, Writable, Executable False False False
private_0x000000007e96e000 0x7e96e000 0x7e970fff Private Memory Readable, Writable True True False
private_0x000000007e971000 0x7e971000 0x7e973fff Private Memory Readable, Writable True True False
private_0x000000007e974000 0x7e974000 0x7e976fff Private Memory Readable, Writable True True False
private_0x000000007e977000 0x7e977000 0x7e979fff Private Memory Readable, Writable True True False
private_0x000000007e97a000 0x7e97a000 0x7e97cfff Private Memory Readable, Writable True True False
private_0x000000007e97d000 0x7e97d000 0x7e97ffff Private Memory Readable, Writable True True False
pagefile_0x000000007e980000 0x7e980000 0x7ea7ffff Pagefile Backed Memory Readable True False False
pagefile_0x000000007ea80000 0x7ea80000 0x7eaa2fff Pagefile Backed Memory Readable True False False
private_0x000000007eaa5000 0x7eaa5000 0x7eaa5fff Private Memory Readable, Writable True True False
private_0x000000007eaa6000 0x7eaa6000 0x7eaa6fff Private Memory Readable, Writable True True False
private_0x000000007eaa7000 0x7eaa7000 0x7eaa9fff Private Memory Readable, Writable True True False
private_0x000000007eaaa000 0x7eaaa000 0x7eaacfff Private Memory Readable, Writable True True False
private_0x000000007eaad000 0x7eaad000 0x7eaaffff Private Memory Readable, Writable True True False
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True True False
private_0x000000007fff0000 0x7fff0000 0x7dfb3d30ffff Private Memory Readable True False False
pagefile_0x00007dfb3d310000 0x7dfb3d310000 0x7ffb3d30ffff Pagefile Backed Memory - True False False
ntdll.dll 0x7ffb3d310000 0x7ffb3d4d1fff Memory Mapped File Readable, Writable, Executable False False False
private_0x00007ffb3d4d2000 0x7ffb3d4d2000 0x7ffffffeffff Private Memory Readable True False False
Injection Information
+
Injection Type Source Process Source Os Thread ID Injection Info Success Count Logfile
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\containers.exe 0xd30 address = 0x4850000, size = 131072 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\containers.exe 0xd30 address = 0x486b6a4, size = 4 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\containers.exe 0xd30 address = 0x486b7c0, size = 4 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\containers.exe 0xd30 address = 0x486bdb4, size = 4 True 1
Fn
Data
Create Remote Thread #2: c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\containers.exe 0xd30 address = 0x485b50c True 1
Fn
Host Behavior
File (52)
+
Operation Filename Additional Information Success Count Logfile
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\niEo_GlbFe5Pi.qef desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\containers.exe desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Get Info C:\Users type = file_attributes True 3
Fn
Get Info C:\Users\CIiHmnxMn6Ps type = file_attributes True 3
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData type = file_attributes True 3
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming type = file_attributes True 3
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia type = file_attributes True 3
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player type = file_attributes True 3
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com type = file_attributes True 3
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support type = file_attributes True 3
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer type = file_attributes True 3
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys type = file_attributes True 3
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix type = size, size_out = 2213 True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\haawarq type = file_attributes False 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\tidyabxe type = file_attributes False 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\niEo_GlbFe5Pi.qef type = size, size_out = 0 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix type = size, size_out = 5435 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix type = size, size_out = 5688 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\containers.exe type = size, size_out = 404480 True 1
Fn
Read C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix size = 2213, size_out = 2213 True 1
Fn
Data
Read C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix size = 5435, size_out = 5435 True 1
Fn
Data
Read C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix size = 5688, size_out = 5688 True 1
Fn
Data
Read C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\containers.exe size = 404480, size_out = 404480 True 1
Fn
Data
Write C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix size = 2780 True 1
Fn
Data
Write C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix size = 5688 True 1
Fn
Data
Write C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix size = 5921 True 1
Fn
Data
Registry (20)
+
Operation Key Additional Information Success Count Logfile
Create Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi - True 1
Fn
Create Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi - True 1
Fn
Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows\Currentversion\Run - True 1
Fn
Open Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi - True 1
Fn
Open Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi - True 1
Fn
Open Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi - True 3
Fn
Read Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi value_name = Uzapze, type = REG_BINARY True 2
Fn
Data
Read Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi value_name = Uzapze, type = REG_BINARY True 2
Fn
Data
Read Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi value_name = Uzapze, type = REG_BINARY True 4
Fn
Data
Read Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi value_name = Axoha, type = REG_NONE False 1
Fn
Write Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi value_name = Uzapze, size = 1776, type = REG_BINARY True 1
Fn
Data
Write Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi value_name = Uzapze, size = 1776, type = REG_BINARY True 1
Fn
Data
Write Value HKEY_CURRENT_USER\Software\Microsoft\Windows\Currentversion\Run value_name = containers.exe, data = "C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\containers.exe", size = 236, type = REG_SZ True 1
Fn
Module (36)
+
Operation Module Additional Information Success Count Logfile
Load KERNEL32.dll base_address = 0x76bc0000 True 1
Fn
Load USER32.dll base_address = 0x74500000 True 1
Fn
Load NTDLL base_address = 0x77190000 True 4
Fn
Load advapi32.dll base_address = 0x75d40000 True 1
Fn
Load shlwapi.dll base_address = 0x75dc0000 True 1
Fn
Load psapi.dll base_address = 0x76450000 True 1
Fn
Load secur32.dll base_address = 0x73c40000 True 1
Fn
Load SSPICLI base_address = 0x742a0000 True 1
Fn
Get Handle advapi32.dll base_address = 0x0 False 1
Fn
Get Handle shlwapi.dll base_address = 0x0 False 1
Fn
Get Handle psapi.dll base_address = 0x0 False 1
Fn
Get Handle secur32.dll base_address = 0x0 False 1
Fn
Get Filename psapi.dll process_name = c:\windows\syswow64\svchost.exe, file_name_orig = C:\Windows\SysWOW64\svchost.exe, size = 260 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InterlockedExchange, address_out = 0x76bd7650 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapCreate, address_out = 0x76bd9950 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapFree, address_out = 0x76bd25e0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapReAlloc, address_out = 0x771cbae0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapAlloc, address_out = 0x771cda90 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapDestroy, address_out = 0x76bdd940 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetProcessHeap, address_out = 0x76bd7910 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InterlockedIncrement, address_out = 0x76bd7520 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleHandleA, address_out = 0x76bd9640 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = Sleep, address_out = 0x76bd77b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LoadLibraryA, address_out = 0x76bdd8d0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LoadLibraryW, address_out = 0x76bda0b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetProcAddress, address_out = 0x76bd7940 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleHandleW, address_out = 0x76bd9660 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = LoadImageW, address_out = 0x74534500 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = RtlAddVectoredExceptionHandler, address_out = 0x771ef090 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = RtlInitializeCriticalSection, address_out = 0x771e95f0 True 1
Fn
Get Address c:\windows\syswow64\sspicli.dll function = GetUserNameExW, address_out = 0x742ac5f0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = RtlEnterCriticalSection, address_out = 0x771d5e80 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = RtlLeaveCriticalSection, address_out = 0x771d5e00 True 1
Fn
System (10)
+
Operation Additional Information Success Count Logfile
Sleep duration = -1 (infinite) False 3
Fn
Get Time type = Local Time, time = 2017-12-01 01:36:37 (Local Time) True 1
Fn
Get Time type = System Time, time = 2017-11-30 14:36:37 (UTC) True 1
Fn
Get Time type = Local Time, time = 2017-12-01 01:36:58 (Local Time) True 1
Fn
Get Time type = System Time, time = 2017-11-30 14:36:58 (UTC) True 2
Fn
Get Info type = Operating System False 2
Fn
Mutex (14)
+
Operation Additional Information Success Count Logfile
Create mutex_name = 8592029A1BBD0F5EDCA2A860E613ACDB True 1
Fn
Create mutex_name = BA375714EF21E8EC8F43FB71FA3700CC True 1
Fn
Create mutex_name = 99DCC4F63896BA52D9D5D3F7098E00E5 True 1
Fn
Create mutex_name = ACD86ED691154353041C7827C4241C0D True 1
Fn
Create mutex_name = BA6E0713253533C2BD32E023F51DAAB1 True 1
Fn
Create mutex_name = 99DCC4F63896BA52D9D5D3F7098E00E5 True 1
Fn
Create mutex_name = BA375714EF21E8EC8F43FB71FA3700CC True 2
Fn
Open mutex_name = 8EB663269EDB2551D78D6BE980D8D1D5, desired_access = SYNCHRONIZE True 1
Fn
Release mutex_name = BA375714EF21E8EC8F43FB71FA3700CC True 1
Fn
Release mutex_name = 99DCC4F63896BA52D9D5D3F7098E00E5 True 1
Fn
Release mutex_name = 99DCC4F63896BA52D9D5D3F7098E00E5 True 1
Fn
Release mutex_name = BA375714EF21E8EC8F43FB71FA3700CC True 2
Fn
Process #7: containers.exe
(Host: 248, Network: 0)
+
Information Value
ID #7
File Name c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\containers.exe
Command Line "C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\containers.exe"
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:02:46, Reason: Autostart
Unmonitor End Time: 00:15:27, Reason: Terminated by Timeout
Monitor Duration 00:12:41
OS Process Information
+
Information Value
PID 0x920
Parent PID 0x6d8 (c:\windows\explorer.exe)
Is Created or Modified Executable True
Integrity Level Medium
Username LHNIWSJ\CIiHmnxMn6Ps
Groups
  • LHNIWSJ\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Local account and member of Administrators group (USE_FOR_DENY_ONLY)
  • BUILTIN\Administrators (USE_FOR_DENY_ONLY)
  • BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Local account (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Logon Session 00000000:0001400a (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID)
  • LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 554
0x 560
0x 4EC
0x 848
Region
+
Name Start VA End VA Type Permissions Monitored Dump YARA Match Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False
private_0x0000000000020000 0x00020000 0x00023fff Private Memory Readable, Writable True False False
private_0x0000000000030000 0x00030000 0x00031fff Private Memory Readable, Writable True False False
private_0x0000000000030000 0x00030000 0x00030fff Private Memory Readable, Writable True False False
pagefile_0x0000000000040000 0x00040000 0x00053fff Pagefile Backed Memory Readable True False False
private_0x0000000000060000 0x00060000 0x0009ffff Private Memory Readable, Writable True False False
private_0x00000000000a0000 0x000a0000 0x0019ffff Private Memory Readable, Writable True False False
pagefile_0x00000000001a0000 0x001a0000 0x001a3fff Pagefile Backed Memory Readable True False False
pagefile_0x00000000001b0000 0x001b0000 0x001b0fff Pagefile Backed Memory Readable True False False
private_0x00000000001c0000 0x001c0000 0x001c1fff Private Memory Readable, Writable True False False
locale.nls 0x001d0000 0x0028dfff Memory Mapped File Readable False False False
private_0x0000000000290000 0x00290000 0x002cffff Private Memory Readable, Writable True False False
private_0x00000000002d0000 0x002d0000 0x0030ffff Private Memory Readable, Writable True False False
private_0x0000000000310000 0x00310000 0x0031ffff Private Memory Readable, Writable True False False
private_0x0000000000320000 0x00320000 0x0041ffff Private Memory Readable, Writable True False False
private_0x0000000000420000 0x00420000 0x00420fff Private Memory Readable, Writable True False False
pagefile_0x0000000000430000 0x00430000 0x00430fff Pagefile Backed Memory Readable, Writable True False False
private_0x0000000000440000 0x00440000 0x00446fff Private Memory Readable, Writable True False False
c_1256.nls 0x00450000 0x00460fff Memory Mapped File Readable False False False
private_0x0000000000470000 0x00470000 0x00473fff Private Memory Readable, Writable True False False
private_0x0000000000480000 0x00480000 0x0048ffff Private Memory Readable, Writable True False False
private_0x0000000000490000 0x00490000 0x004cffff Private Memory Readable, Writable True False False
c_1251.nls 0x00490000 0x004a0fff Memory Mapped File Readable False False False
c_1254.nls 0x004b0000 0x004c0fff Memory Mapped File Readable False False False
private_0x00000000004d0000 0x004d0000 0x005cffff Private Memory Readable, Writable True False False
private_0x00000000005d0000 0x005d0000 0x006cffff Private Memory Readable, Writable True False False
pagefile_0x00000000006d0000 0x006d0000 0x00857fff Pagefile Backed Memory Readable True False False
private_0x0000000000860000 0x00860000 0x009affff Private Memory Readable, Writable True False False
private_0x0000000000860000 0x00860000 0x0095ffff Private Memory Readable, Writable True False False
c_1250.nls 0x00960000 0x00970fff Memory Mapped File Readable False False False
c_1253.nls 0x00980000 0x00990fff Memory Mapped File Readable False False False
private_0x00000000009a0000 0x009a0000 0x009affff Private Memory Readable, Writable True False False
private_0x00000000009b0000 0x009b0000 0x009bffff Private Memory Readable, Writable True False False
pagefile_0x00000000009b0000 0x009b0000 0x009b4fff Pagefile Backed Memory Readable, Writable True False False
private_0x00000000009b0000 0x009b0000 0x009b0fff Private Memory Readable, Writable, Executable True False False
private_0x00000000009b0000 0x009b0000 0x009b3fff Private Memory Readable, Writable True False False
private_0x00000000009c0000 0x009c0000 0x009cffff Private Memory Readable, Writable True False False
pagefile_0x00000000009d0000 0x009d0000 0x00b50fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000b60000 0x00b60000 0x01f5ffff Pagefile Backed Memory Readable True False False
private_0x0000000001f60000 0x01f60000 0x0205ffff Private Memory Readable, Writable True False False
c_1257.nls 0x02060000 0x02070fff Memory Mapped File Readable False False False
c_1255.nls 0x02080000 0x02090fff Memory Mapped File Readable False False False
c_932.nls 0x020a0000 0x020c7fff Memory Mapped File Readable False False False
private_0x00000000020d0000 0x020d0000 0x020dffff Private Memory Readable, Writable True False False
pagefile_0x00000000020e0000 0x020e0000 0x025d1fff Pagefile Backed Memory Readable, Writable True False False
sortdefault.nls 0x025e0000 0x02916fff Memory Mapped File Readable False False False
private_0x0000000002920000 0x02920000 0x02b1ffff Private Memory Readable, Writable True False False
private_0x0000000002b20000 0x02b20000 0x02f1ffff Private Memory Readable, Writable True False False
private_0x0000000002f20000 0x02f20000 0x0371ffff Private Memory Readable, Writable True False False
private_0x0000000003720000 0x03720000 0x046effff Private Memory Readable, Writable True False False
private_0x00000000046f0000 0x046f0000 0x047effff Private Memory Readable, Writable True False False
c_949.nls 0x046f0000 0x04720fff Memory Mapped File Readable False False False
c_874.nls 0x04730000 0x04740fff Memory Mapped File Readable False False False
c_1258.nls 0x04750000 0x04760fff Memory Mapped File Readable False False False
c_936.nls 0x04770000 0x047a0fff Memory Mapped File Readable False False False
c_950.nls 0x047b0000 0x047e0fff Memory Mapped File Readable False False False
private_0x00000000047f0000 0x047f0000 0x04877fff Private Memory Readable, Writable, Executable True False False
kernelbase.dll.mui 0x04880000 0x0495efff Memory Mapped File Readable False False False
pagefile_0x0000000004960000 0x04960000 0x04d5ffff Pagefile Backed Memory Readable, Writable True False False
private_0x0000000004960000 0x04960000 0x04971fff Private Memory Readable, Writable True False False
private_0x0000000004960000 0x04960000 0x049dffff Private Memory Readable, Writable True False False
private_0x00000000049e0000 0x049e0000 0x049e1fff Private Memory Readable, Writable True False False
private_0x0000000004b60000 0x04b60000 0x04beffff Private Memory Readable, Writable True False False
containers.exe 0x20c80000 0x20ce8fff Memory Mapped File Readable, Writable, Executable True False False
wow64cpu.dll 0x581b0000 0x581b7fff Memory Mapped File Readable, Writable, Executable False False False
wow64.dll 0x581c0000 0x5820efff Memory Mapped File Readable, Writable, Executable False False False
wow64win.dll 0x58210000 0x58282fff Memory Mapped File Readable, Writable, Executable False False False
ntmarta.dll 0x74470000 0x74497fff Memory Mapped File Readable, Writable, Executable False False False
rsaenh.dll 0x744a0000 0x744cefff Memory Mapped File Readable, Writable, Executable False False False
cryptsp.dll 0x744d0000 0x744e2fff Memory Mapped File Readable, Writable, Executable False False False
samlib.dll 0x744f0000 0x74502fff Memory Mapped File Readable, Writable, Executable False False False
uxtheme.dll 0x74510000 0x74584fff Memory Mapped File Readable, Writable, Executable False False False
samcli.dll 0x74590000 0x745a3fff Memory Mapped File Readable, Writable, Executable False False False
secur32.dll 0x745b0000 0x745b9fff Memory Mapped File Readable, Writable, Executable False False False
winnsi.dll 0x745c0000 0x745c7fff Memory Mapped File Readable, Writable, Executable False False False
netutils.dll 0x745d0000 0x745d9fff Memory Mapped File Readable, Writable, Executable False False False
srvcli.dll 0x745e0000 0x745fbfff Memory Mapped File Readable, Writable, Executable False False False
wkscli.dll 0x74600000 0x7460ffff Memory Mapped File Readable, Writable, Executable False False False
bcrypt.dll 0x74610000 0x7462afff Memory Mapped File Readable, Writable, Executable False False False
iphlpapi.dll 0x74630000 0x7465ffff Memory Mapped File Readable, Writable, Executable False False False
netapi32.dll 0x74660000 0x74672fff Memory Mapped File Readable, Writable, Executable False False False
comctl32.dll 0x74680000 0x74711fff Memory Mapped File Readable, Writable, Executable False False False
winspool.drv 0x74720000 0x74786fff Memory Mapped File Readable, Writable, Executable False False False
bcryptprimitives.dll 0x74840000 0x74898fff Memory Mapped File Readable, Writable, Executable False False False
cryptbase.dll 0x748a0000 0x748a9fff Memory Mapped File Readable, Writable, Executable False False False
sspicli.dll 0x748b0000 0x748cdfff Memory Mapped File Readable, Writable, Executable False False False
comdlg32.dll 0x748d0000 0x7498dfff Memory Mapped File Readable, Writable, Executable False False False
kernel32.dll 0x74990000 0x74a7ffff Memory Mapped File Readable, Writable, Executable False False False
rpcrt4.dll 0x74a80000 0x74b2bfff Memory Mapped File Readable, Writable, Executable False False False
nsi.dll 0x74ca0000 0x74ca6fff Memory Mapped File Readable, Writable, Executable False False False
gdi32.dll 0x74d10000 0x74e5cfff Memory Mapped File Readable, Writable, Executable False False False
windows.storage.dll 0x74e60000 0x7533cfff Memory Mapped File Readable, Writable, Executable False False False
sechost.dll 0x753a0000 0x753e2fff Memory Mapped File Readable, Writable, Executable False False False
msvcrt.dll 0x753f0000 0x754adfff Memory Mapped File Readable, Writable, Executable False False False
powrprof.dll 0x754c0000 0x75503fff Memory Mapped File Readable, Writable, Executable False False False
ole32.dll 0x75690000 0x75779fff Memory Mapped File Readable, Writable, Executable False False False
psapi.dll 0x75780000 0x75785fff Memory Mapped File Readable, Writable, Executable False False False
advapi32.dll 0x757f0000 0x7586afff Memory Mapped File Readable, Writable, Executable False False False
kernel.appcore.dll 0x75960000 0x7596bfff Memory Mapped File Readable, Writable, Executable False False False
shcore.dll 0x75a00000 0x75a8cfff Memory Mapped File Readable, Writable, Executable False False False
combase.dll 0x75a90000 0x75c49fff Memory Mapped File Readable, Writable, Executable False False False
profapi.dll 0x75c50000 0x75c5efff Memory Mapped File Readable, Writable, Executable False False False
imm32.dll 0x75c60000 0x75c8afff Memory Mapped File Readable, Writable, Executable False False False
user32.dll 0x75c90000 0x75dcffff Memory Mapped File Readable, Writable, Executable False False False
oleaut32.dll 0x75dd0000 0x75e61fff Memory Mapped File Readable, Writable, Executable False False False
kernelbase.dll 0x75e70000 0x75fe5fff Memory Mapped File Readable, Writable, Executable False False False
coml2.dll 0x75ff0000 0x76047fff Memory Mapped File Readable, Writable, Executable False False False
shell32.dll 0x76050000 0x7740efff Memory Mapped File Readable, Writable, Executable False False False
shlwapi.dll 0x77410000 0x77453fff Memory Mapped File Readable, Writable, Executable False False False
msctf.dll 0x77680000 0x7779ffff Memory Mapped File Readable, Writable, Executable False False False
ntdll.dll 0x777a0000 0x77918fff Memory Mapped File Readable, Writable, Executable False False False
private_0x000000007fead000 0x7fead000 0x7feaffff Private Memory Readable, Writable True False False
pagefile_0x000000007feb0000 0x7feb0000 0x7ffaffff Pagefile Backed Memory Readable True False False
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory Readable True False False
private_0x000000007ffd5000 0x7ffd5000 0x7ffd7fff Private Memory Readable, Writable True False False
private_0x000000007ffd8000 0x7ffd8000 0x7ffdafff Private Memory Readable, Writable True False False
private_0x000000007ffdb000 0x7ffdb000 0x7ffddfff Private Memory Readable, Writable True False False
private_0x000000007ffde000 0x7ffde000 0x7ffdefff Private Memory Readable, Writable True False False
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory Readable, Writable True False False
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False
private_0x000000007fff0000 0x7fff0000 0x7ffe18a2ffff Private Memory Readable True False False
ntdll.dll 0x7ffe18a30000 0x7ffe18bf1fff Memory Mapped File Readable, Writable, Executable False False False
private_0x00007ffe18bf2000 0x7ffe18bf2000 0x7ffffffeffff Private Memory Readable True False False
Host Behavior
COM (1)
+
Operation Class Interface Additional Information Success Count Logfile
Create 0000031D-0000-0000-C000-000000000046 00000109-0000-0000-C000-000000000046 cls_context = CLSCTX_INPROC_SERVER True 1
Fn
File (41)
+
Operation Filename Additional Information Success Count Logfile
Create - desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ False 2
Fn
Create - desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 2
Fn
Create \??\C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\containers.exe desired_access = FILE_READ_EA, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 2
Fn
Create Directory - - False 1
Fn
Get Info - type = file_attributes False 1
Fn
Get Info \??\C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\containers.exe type = extended True 1
Fn
Get Info C:\Users type = file_attributes True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps type = file_attributes True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData type = file_attributes True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming type = file_attributes True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia type = file_attributes True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player type = file_attributes True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com type = file_attributes True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support type = file_attributes True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer type = file_attributes True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys type = file_attributes True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix type = size, size_out = 5921 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix type = size, size_out = 6181 True 1
Fn
Open STD_INPUT_HANDLE - True 1
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Read C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix size = 5921, size_out = 5921 True 1
Fn
Data
Read C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix size = 6181, size_out = 6181 True 1
Fn
Data
Write C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix size = 6181 True 1
Fn
Data
Write C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix size = 6441 True 1
Fn
Data
Registry (7)
+
Operation Key Additional Information Success Count Logfile
Open Key HKEY_CLASSES_ROOT\AppID\{10000002-0000-0000-0000-000000000001} - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion - True 2
Fn
Read Value HKEY_CLASSES_ROOT\AppID\{10000002-0000-0000-0000-000000000001} value_name = AccessPermission False 1
Fn
Read Value HKEY_CLASSES_ROOT\AppID\{10000002-0000-0000-0000-000000000001} value_name = AccessPermission, data = 0 False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion value_name = InstallDate, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion value_name = DigitalProductId False 1
Fn
Process (2)
+
Operation Process Additional Information Success Count Logfile
Create C:\Windows\SysWOW64\svchost.exe -k netsvcs os_pid = 0xad8, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE True 1
Fn
Create C:\Windows\SysWOW64\svchost.exe -k netsvcs os_pid = 0x4e4, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE True 1
Fn
Thread (2)
+
Operation Process Additional Information Success Count Logfile
Create C:\Windows\SysWOW64\svchost.exe -k netsvcs proc_address = 0x4d7b50c, proc_parameter = 0, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create C:\Windows\SysWOW64\svchost.exe -k netsvcs proc_address = 0x4a0b50c, proc_parameter = 0, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Memory (10)
+
Operation Process Additional Information Success Count Logfile
Allocate C:\Windows\SysWOW64\svchost.exe -k netsvcs address = 0x4d70000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 131072 True 1
Fn
Allocate C:\Windows\SysWOW64\svchost.exe -k netsvcs address = 0x4a00000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 131072 True 1
Fn
Write C:\Windows\SysWOW64\svchost.exe -k netsvcs address = 0x4d70000, size = 131072 True 1
Fn
Data
Write C:\Windows\SysWOW64\svchost.exe -k netsvcs address = 0x4d8b6a4, size = 4 True 1
Fn
Data
Write C:\Windows\SysWOW64\svchost.exe -k netsvcs address = 0x4d8b7c0, size = 4 True 1
Fn
Data
Write C:\Windows\SysWOW64\svchost.exe -k netsvcs address = 0x4d8bdb4, size = 4 True 1
Fn
Data
Write C:\Windows\SysWOW64\svchost.exe -k netsvcs address = 0x4a00000, size = 131072 True 1
Fn
Data
Write C:\Windows\SysWOW64\svchost.exe -k netsvcs address = 0x4a1b6a4, size = 4 True 1
Fn
Data
Write C:\Windows\SysWOW64\svchost.exe -k netsvcs address = 0x4a1b7c0, size = 4 True 1
Fn
Data
Write C:\Windows\SysWOW64\svchost.exe -k netsvcs address = 0x4a1bdb4, size = 4 True 1
Fn
Data
Module (48)
+
Operation Module Additional Information Success Count Logfile
Load KERNEL32.dll base_address = 0x74990000 True 1
Fn
Load USER32.dll base_address = 0x75c90000 True 1
Fn
Load NTDLL base_address = 0x777a0000 True 2
Fn
Load SSPICLI base_address = 0x748b0000 True 1
Fn
Load api-ms-win-core-com-l1-1-0 base_address = 0x75a90000 True 1
Fn
Load psapi.dll base_address = 0x75780000 True 1
Fn
Get Handle c:\windows\syswow64\kernel32.dll base_address = 0x74990000 True 2
Fn
Get Handle c:\windows\syswow64\ntdll.dll base_address = 0x777a0000 True 4
Fn
Get Handle c:\windows\syswow64\advapi32.dll base_address = 0x757f0000 True 3
Fn
Get Handle c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\containers.exe base_address = 0x20c80000 True 1
Fn
Get Handle c:\windows\syswow64\shlwapi.dll base_address = 0x77410000 True 1
Fn
Get Handle c:\windows\syswow64\secur32.dll base_address = 0x745b0000 True 1
Fn
Get Handle c:\windows\syswow64\shell32.dll base_address = 0x76050000 True 1
Fn
Get Handle c:\windows\syswow64\ole32.dll base_address = 0x75690000 True 1
Fn
Get Handle psapi.dll base_address = 0x0 False 1
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\containers.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\containers.exe, size = 260 True 1
Fn
Get Filename psapi.dll process_name = c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\containers.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\containers.exe, size = 260 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsAlloc, address_out = 0x749aa330 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsGetValue, address_out = 0x749a7580 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsSetValue, address_out = 0x749a9910 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsFree, address_out = 0x749af400 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = memcpy, address_out = 0x7780e7b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InterlockedExchange, address_out = 0x749a7650 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapCreate, address_out = 0x749a9950 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapFree, address_out = 0x749a25e0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapReAlloc, address_out = 0x777dbae0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapAlloc, address_out = 0x777dda90 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapDestroy, address_out = 0x749ad940 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetProcessHeap, address_out = 0x749a7910 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InterlockedIncrement, address_out = 0x749a7520 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleHandleA, address_out = 0x749a9640 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = Sleep, address_out = 0x749a77b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LoadLibraryA, address_out = 0x749ad8d0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LoadLibraryW, address_out = 0x749aa0b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetProcAddress, address_out = 0x749a7940 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleHandleW, address_out = 0x749a9660 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = LoadImageW, address_out = 0x75cc4500 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = RtlAddVectoredExceptionHandler, address_out = 0x777ff090 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = RtlInitializeCriticalSection, address_out = 0x777f95f0 True 1
Fn
Get Address c:\windows\syswow64\sspicli.dll function = GetUserNameExW, address_out = 0x748bc5f0 True 1
Fn
Get Address c:\windows\syswow64\combase.dll function = CLSIDFromString, address_out = 0x75b41390 True 1
Fn
Window (1)
+
Operation Window Name Additional Information Success Count Logfile
Create - class_name = static, wndproc_parameter = 0 True 1
Fn
System (44)
+
Operation Additional Information Success Count Logfile
Get Computer Name result_out = LHNIWSJ True 33
Fn
Get Time type = System Time, time = 2017-11-30 03:37:52 (UTC) True 5
Fn
Get Time type = Local Time, time = 2017-11-30 14:37:52 (Local Time) True 3
Fn
Get Info type = Operating System False 3
Fn
Mutex (16)
+
Operation Additional Information Success Count Logfile
Create mutex_name = 8C5FF35F44C67C34381EFF128FE58575 True 1
Fn
Create mutex_name = BA375714EF21E8EC8F43FB71FA3700CC True 3
Fn
Create mutex_name = DD53550AC9EB25CC6151CE1EB2A70FC3 True 1
Fn
Create mutex_name = 5576A023ACFCB1DF07119694F5D31AAB True 1
Fn
Create mutex_name = E60F35D6C376C5F82E917CA84B9C2F25 True 1
Fn
Open mutex_name = 4F35AC27449784784508471CC1E930C7, desired_access = SYNCHRONIZE False 1
Fn
Open mutex_name = 8EB663269EDB2551D78D6BE980D8D1D5, desired_access = SYNCHRONIZE False 2
Fn
Open mutex_name = 8592029A1BBD0F5EDCA2A860E613ACDB, desired_access = SYNCHRONIZE False 2
Fn
Release mutex_name = 8C5FF35F44C67C34381EFF128FE58575 True 1
Fn
Release mutex_name = BA375714EF21E8EC8F43FB71FA3700CC True 3
Fn
Environment (1)
+
Operation Additional Information Success Count Logfile
Get Environment String - True 1
Fn
Data
Process #8: svchost.exe
(Host: 2096, Network: 423)
+
Information Value
ID #8
File Name c:\windows\syswow64\svchost.exe
Command Line C:\Windows\SysWOW64\svchost.exe -k netsvcs
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:02:57, Reason: Child Process
Unmonitor End Time: 00:15:27, Reason: Terminated by Timeout
Monitor Duration 00:12:30
OS Process Information
+
Information Value
PID 0xad8
Parent PID 0x920 (c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\containers.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username LHNIWSJ\CIiHmnxMn6Ps
Groups
  • LHNIWSJ\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Local account and member of Administrators group (USE_FOR_DENY_ONLY)
  • BUILTIN\Administrators (USE_FOR_DENY_ONLY)
  • BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Local account (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Logon Session 00000000:0001400a (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID)
  • LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x AE0
0x AEC
0x A68
0x AE8
0x AF0
0x 7F0
0x 7F4
0x 7C4
0x 2D0
0x ADC
0x A64
0x AE4
0x 7B8
0x BF4
0x 5B8
0x 680
0x 890
0x 9B8
Region
+
Name Start VA End VA Type Permissions Monitored Dump YARA Match Actions
svchost.exe 0x000c0000 0x000cafff Memory Mapped File Readable, Writable, Executable False False False
pagefile_0x0000000000c70000 0x00c70000 0x04c6ffff Pagefile Backed Memory - True False False
private_0x0000000004c70000 0x04c70000 0x04c8ffff Private Memory Readable, Writable True False False
pagefile_0x0000000004c70000 0x04c70000 0x04c7ffff Pagefile Backed Memory Readable, Writable True False False
svchost.exe.mui 0x04c80000 0x04c80fff Memory Mapped File Readable False False False
private_0x0000000004c90000 0x04c90000 0x04c91fff Private Memory Readable, Writable True False False
private_0x0000000004c90000 0x04c90000 0x04c90fff Private Memory Readable, Writable True False False
pagefile_0x0000000004ca0000 0x04ca0000 0x04cb3fff Pagefile Backed Memory Readable True False False
private_0x0000000004cc0000 0x04cc0000 0x04cfffff Private Memory Readable, Writable True False False
private_0x0000000004d00000 0x04d00000 0x04d3ffff Private Memory Readable, Writable True False False
pagefile_0x0000000004d40000 0x04d40000 0x04d43fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000004d50000 0x04d50000 0x04d50fff Pagefile Backed Memory Readable True False False
private_0x0000000004d60000 0x04d60000 0x04d61fff Private Memory Readable, Writable True False False
private_0x0000000004d70000 0x04d70000 0x04d8ffff Private Memory Readable, Writable, Executable True False False
private_0x0000000004d90000 0x04d90000 0x04dcffff Private Memory Readable, Writable True False False
private_0x0000000004d90000 0x04d90000 0x04d91fff Private Memory Readable, Writable True False False
private_0x0000000004d90000 0x04d90000 0x04df2fff Private Memory Readable, Writable True False False
private_0x0000000004d90000 0x04d90000 0x04d92fff Private Memory Readable, Writable True False False
pagefile_0x0000000004d90000 0x04d90000 0x04d90fff Pagefile Backed Memory Readable, Writable True False False
counters.dat 0x04da0000 0x04da0fff Memory Mapped File Readable, Writable True False False
private_0x0000000004db0000 0x04db0000 0x04deffff Private Memory Readable, Writable True False False
private_0x0000000004dd0000 0x04dd0000 0x04e0ffff Private Memory Readable, Writable True False False
pagefile_0x0000000004df0000 0x04df0000 0x04df1fff Pagefile Backed Memory Readable, Writable True False False
pagefile_0x0000000004df0000 0x04df0000 0x04dfffff Pagefile Backed Memory Readable True False False
pagefile_0x0000000004e00000 0x04e00000 0x04e00fff Pagefile Backed Memory Readable, Writable True False False
locale.nls 0x04e10000 0x04ecdfff Memory Mapped File Readable False False False
private_0x0000000004ed0000 0x04ed0000 0x04f0ffff Private Memory Readable, Writable True False False
private_0x0000000004f10000 0x04f10000 0x04f4ffff Private Memory Readable, Writable True False False
private_0x0000000004f50000 0x04f50000 0x04f50fff Private Memory Readable, Writable True False False
private_0x0000000004f60000 0x04f60000 0x04f66fff Private Memory Readable, Writable True False False
imm32.dll 0x04f70000 0x04f99fff Memory Mapped File Readable False False False
private_0x0000000004f70000 0x04f70000 0x04f70fff Private Memory Readable, Writable, Executable True False False
private_0x0000000004f80000 0x04f80000 0x04f81fff Private Memory Readable, Writable True False False
private_0x0000000004f80000 0x04f80000 0x04fbffff Private Memory Readable, Writable True False False
private_0x0000000004fc0000 0x04fc0000 0x04ffffff Private Memory Readable, Writable True False False
private_0x0000000005000000 0x05000000 0x050fffff Private Memory Readable, Writable True False False
pagefile_0x0000000005100000 0x05100000 0x05287fff Pagefile Backed Memory Readable True False False
private_0x0000000005290000 0x05290000 0x052cffff Private Memory Readable, Writable True False False
private_0x00000000052d0000 0x052d0000 0x052d3fff Private Memory Readable, Writable True False False
private_0x00000000052e0000 0x052e0000 0x052e1fff Private Memory Readable, Writable True False False
pagefile_0x00000000052e0000 0x052e0000 0x052e1fff Pagefile Backed Memory Readable True False False
mswsock.dll.mui 0x052f0000 0x052f2fff Memory Mapped File Readable False False False
private_0x0000000005300000 0x05300000 0x053fffff Private Memory Readable, Writable True False False
private_0x0000000005400000 0x05400000 0x054a4fff Private Memory Readable, Writable True False False
private_0x0000000005400000 0x05400000 0x0543ffff Private Memory Readable, Writable True False False
private_0x0000000005440000 0x05440000 0x0547ffff Private Memory Readable, Writable True False False
pagefile_0x0000000005480000 0x05480000 0x05481fff Pagefile Backed Memory Readable True False False
private_0x0000000005490000 0x05490000 0x05490fff Private Memory Readable, Writable True False False
private_0x00000000054a0000 0x054a0000 0x054a4fff Private Memory Readable, Writable True False False
private_0x00000000054b0000 0x054b0000 0x056affff Private Memory Readable, Writable True False False
private_0x00000000054b0000 0x054b0000 0x054effff Private Memory Readable, Writable True False False
private_0x00000000054f0000 0x054f0000 0x054f0fff Private Memory Readable, Writable True False False
private_0x0000000005500000 0x05500000 0x055fffff Private Memory Readable, Writable True False False
pagefile_0x0000000005600000 0x05600000 0x05780fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000005790000 0x05790000 0x06b8ffff Pagefile Backed Memory Readable True False False
private_0x0000000006b90000 0x06b90000 0x06c8ffff Private Memory Readable, Writable True False False
private_0x0000000006c90000 0x06c90000 0x06ccffff Private Memory Readable, Writable True False False
private_0x0000000006d00000 0x06d00000 0x06d03fff Private Memory Readable, Writable True False False
ole32.dll 0x06d10000 0x06df8fff Memory Mapped File Readable False False False
private_0x0000000006d10000 0x06d10000 0x06d4ffff Private Memory Readable, Writable True False False
private_0x0000000006d50000 0x06d50000 0x06d8ffff Private Memory Readable, Writable True False False
private_0x0000000006d90000 0x06d90000 0x06dcffff Private Memory Readable, Writable True False False
private_0x0000000006e00000 0x06e00000 0x06efffff Private Memory Readable, Writable True False False
sortdefault.nls 0x06f00000 0x07236fff Memory Mapped File Readable False False False
private_0x0000000007240000 0x07240000 0x0733ffff Private Memory Readable, Writable True False False
private_0x0000000007340000 0x07340000 0x0743ffff Private Memory Readable, Writable True False False
private_0x0000000007440000 0x07440000 0x0753ffff Private Memory Readable, Writable True False False
private_0x0000000007540000 0x07540000 0x0763ffff Private Memory Readable, Writable True False False
private_0x0000000007640000 0x07640000 0x0773ffff Private Memory Readable, Writable True False False
private_0x0000000007740000 0x07740000 0x0783ffff Private Memory Readable, Writable True False False
private_0x0000000007840000 0x07840000 0x07954fff Private Memory Readable, Writable True False False
private_0x0000000007840000 0x07840000 0x0787ffff Private Memory Readable, Writable True False False
private_0x0000000007880000 0x07880000 0x078bffff Private Memory Readable, Writable True False False
private_0x00000000078c0000 0x078c0000 0x078fffff Private Memory Readable, Writable True False False
private_0x0000000007900000 0x07900000 0x0793ffff Private Memory Readable, Writable True False False
private_0x0000000007950000 0x07950000 0x07954fff Private Memory Readable, Writable True False False
private_0x0000000007960000 0x07960000 0x07b5ffff Private Memory Readable, Writable True False False
private_0x0000000007a00000 0x07a00000 0x07afffff Private Memory Readable, Writable True False False
wow64cpu.dll 0x581b0000 0x581b7fff Memory Mapped File Readable, Writable, Executable False False False
wow64.dll 0x581c0000 0x5820efff Memory Mapped File Readable, Writable, Executable False False False
wow64win.dll 0x58210000 0x58282fff Memory Mapped File Readable, Writable, Executable False False False
schannel.dll 0x73b20000 0x73b7ffff Memory Mapped File Readable, Writable, Executable False False False
comctl32.dll 0x73b80000 0x73d88fff Memory Mapped File Readable, Writable, Executable False False False
fwpuclnt.dll 0x73d90000 0x73dd5fff Memory Mapped File Readable, Writable, Executable False False False
dnsapi.dll 0x73de0000 0x73e63fff Memory Mapped File Readable, Writable, Executable False False False
mswsock.dll 0x73e70000 0x73ebdfff Memory Mapped File Readable, Writable, Executable False False False
winhttp.dll 0x73ec0000 0x73f66fff Memory Mapped File Readable, Writable, Executable False False False
iertutil.dll 0x73f70000 0x74230fff Memory Mapped File Readable, Writable, Executable False False False
wininet.dll 0x74240000 0x74463fff Memory Mapped File Readable, Writable, Executable False False False
ntmarta.dll 0x74470000 0x74497fff Memory Mapped File Readable, Writable, Executable False False False
rsaenh.dll 0x744a0000 0x744cefff Memory Mapped File Readable, Writable, Executable False False False
cryptsp.dll 0x744d0000 0x744e2fff Memory Mapped File Readable, Writable, Executable False False False
rasadhlp.dll 0x74510000 0x74517fff Memory Mapped File Readable, Writable, Executable False False False
winnsi.dll 0x74520000 0x74527fff Memory Mapped File Readable, Writable, Executable False False False
uxtheme.dll 0x74530000 0x745a4fff Memory Mapped File Readable, Writable, Executable False False False
secur32.dll 0x745b0000 0x745b9fff Memory Mapped File Readable, Writable, Executable False False False
iphlpapi.dll 0x745c0000 0x745effff Memory Mapped File Readable, Writable, Executable False False False
ondemandconnroutehelper.dll 0x745f0000 0x74600fff Memory Mapped File Readable, Writable, Executable False False False
bcrypt.dll 0x74610000 0x7462afff Memory Mapped File Readable, Writable, Executable False False False
urlmon.dll 0x74630000 0x7478ffff Memory Mapped File Readable, Writable, Executable False False False
bcryptprimitives.dll 0x74840000 0x74898fff Memory Mapped File Readable, Writable, Executable False False False
cryptbase.dll 0x748a0000 0x748a9fff Memory Mapped File Readable, Writable, Executable False False False
sspicli.dll 0x748b0000 0x748cdfff Memory Mapped File Readable, Writable, Executable False False False
kernel32.dll 0x74990000 0x74a7ffff Memory Mapped File Readable, Writable, Executable False False False
rpcrt4.dll 0x74a80000 0x74b2bfff Memory Mapped File Readable, Writable, Executable False False False
nsi.dll 0x74ca0000 0x74ca6fff Memory Mapped File Readable, Writable, Executable False False False
gdi32.dll 0x74d10000 0x74e5cfff Memory Mapped File Readable, Writable, Executable False False False
windows.storage.dll 0x74e60000 0x7533cfff Memory Mapped File Readable, Writable, Executable False False False
sechost.dll 0x753a0000 0x753e2fff Memory Mapped File Readable, Writable, Executable False False False
msvcrt.dll 0x753f0000 0x754adfff Memory Mapped File Readable, Writable, Executable False False False
powrprof.dll 0x754c0000 0x75503fff Memory Mapped File Readable, Writable, Executable False False False
crypt32.dll 0x75510000 0x75684fff Memory Mapped File Readable, Writable, Executable False False False
psapi.dll 0x75780000 0x75785fff Memory Mapped File Readable, Writable, Executable False False False
ws2_32.dll 0x75790000 0x757ebfff Memory Mapped File Readable, Writable, Executable False False False
advapi32.dll 0x757f0000 0x7586afff Memory Mapped File Readable, Writable, Executable False False False
msasn1.dll 0x758b0000 0x758bdfff Memory Mapped File Readable, Writable, Executable False False False
kernel.appcore.dll 0x75960000 0x7596bfff Memory Mapped File Readable, Writable, Executable False False False
shcore.dll 0x75a00000 0x75a8cfff Memory Mapped File Readable, Writable, Executable False False False
combase.dll 0x75a90000 0x75c49fff Memory Mapped File Readable, Writable, Executable False False False
profapi.dll 0x75c50000 0x75c5efff Memory Mapped File Readable, Writable, Executable False False False
imm32.dll 0x75c60000 0x75c8afff Memory Mapped File Readable, Writable, Executable False False False
user32.dll 0x75c90000 0x75dcffff Memory Mapped File Readable, Writable, Executable False False False
oleaut32.dll 0x75dd0000 0x75e61fff Memory Mapped File Readable, Writable, Executable False False False
kernelbase.dll 0x75e70000 0x75fe5fff Memory Mapped File Readable, Writable, Executable False False False
shell32.dll 0x76050000 0x7740efff Memory Mapped File Readable, Writable, Executable False False False
shlwapi.dll 0x77410000 0x77453fff Memory Mapped File Readable, Writable, Executable False False False
msctf.dll 0x77680000 0x7779ffff Memory Mapped File Readable, Writable, Executable False False False
ntdll.dll 0x777a0000 0x77918fff Memory Mapped File Readable, Writable, Executable False False False
private_0x000000007f982000 0x7f982000 0x7f984fff Private Memory Readable, Writable True False False
private_0x000000007f985000 0x7f985000 0x7f987fff Private Memory Readable, Writable True False False
private_0x000000007f988000 0x7f988000 0x7f98afff Private Memory Readable, Writable True False False
private_0x000000007f98b000 0x7f98b000 0x7f98dfff Private Memory Readable, Writable True False False
private_0x000000007f98e000 0x7f98e000 0x7f990fff Private Memory Readable, Writable True False False
private_0x000000007f991000 0x7f991000 0x7f993fff Private Memory Readable, Writable True False False
private_0x000000007f994000 0x7f994000 0x7f996fff Private Memory Readable, Writable True False False
private_0x000000007f997000 0x7f997000 0x7f999fff Private Memory Readable, Writable True False False
private_0x000000007f99a000 0x7f99a000 0x7f99cfff Private Memory Readable, Writable True False False
private_0x000000007f99d000 0x7f99d000 0x7f99ffff Private Memory Readable, Writable True False False
pagefile_0x000000007f9a0000 0x7f9a0000 0x7fa9ffff Pagefile Backed Memory Readable True False False
pagefile_0x000000007faa0000 0x7faa0000 0x7fac2fff Pagefile Backed Memory Readable True False False
private_0x000000007fac4000 0x7fac4000 0x7fac6fff Private Memory Readable, Writable True False False
private_0x000000007fac7000 0x7fac7000 0x7fac9fff Private Memory Readable, Writable True False False
private_0x000000007faca000 0x7faca000 0x7facafff Private Memory Readable, Writable True False False
private_0x000000007facb000 0x7facb000 0x7facbfff Private Memory Readable, Writable True False False
private_0x000000007facd000 0x7facd000 0x7facffff Private Memory Readable, Writable True False False
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False
private_0x000000007fff0000 0x7fff0000 0x7dfe18a2ffff Private Memory Readable True False False
pagefile_0x00007dfe18a30000 0x7dfe18a30000 0x7ffe18a2ffff Pagefile Backed Memory - True False False
ntdll.dll 0x7ffe18a30000 0x7ffe18bf1fff Memory Mapped File Readable, Writable, Executable False False False
private_0x00007ffe18bf2000 0x7ffe18bf2000 0x7ffffffeffff Private Memory Readable True False False
For performance reasons, the remaining 60 entries are omitted.
The remaining entries can be found in flog.txt.
Injection Information
+
Injection Type Source Process Source Os Thread ID Injection Info Success Count Logfile
Modify Memory #7: c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\containers.exe 0x554 address = 0x4d70000, size = 131072 True 1
Fn
Data
Modify Memory #7: c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\containers.exe 0x554 address = 0x4d8b6a4, size = 4 True 1
Fn
Data
Modify Memory #7: c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\containers.exe 0x554 address = 0x4d8b7c0, size = 4 True 1
Fn
Data
Modify Memory #7: c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\containers.exe 0x554 address = 0x4d8bdb4, size = 4 True 1
Fn
Data
Create Remote Thread #7: c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\containers.exe 0x554 address = 0x4d7b50c True 1
Fn
Created Files
+
Filename File Size Hash Values YARA Match Actions
c:\users\ciihmn~1\appdata\local\temp\updee12df24.exe 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\updee12df24.exe 296.00 KB (303104 bytes) MD5: 2bbf4515f3f42a943b2732e24fc9f19e
SHA1: ce487e80749edeccbadefa9c6fb967ca743e70bd
SHA256: af1c61d4a742b3cb4a11b2bbbdc4b6a4ae77b215ad6aa57f1d51a309f2b77f9f
False
Modified Files
+
Filename File Size Hash Values YARA Match Actions
c:\users\ciihmnxmn6ps\appdata\local\microsoft\windows\inetcache\ie\gy9r3u9a\g[1].htm 0.19 KB (192 bytes) MD5: 8eb3797f52a0bbc1e9826d70636bc3fa
SHA1: 524c615ba75de8513477acfec8af51a28a7dbfde
SHA256: 1727cfb8c3f8af8d01089854993db8dc6528718202e3c855dbb2bca32d781768
False
c:\users\ciihmnxmn6ps\appdata\local\microsoft\windows\inetcache\ie\gy9r3u9a\g[1].htm 0.19 KB (192 bytes) MD5: 2b07a02e4b1ff8e22172598ba3a6fba2
SHA1: fabff235cdff47ba51462a567b074f926c2f7f94
SHA256: fd3f3df862ff7941a9097c255b070dbdcdfdd558aacdcb504ecf7a0668476dc4
False
c:\users\ciihmnxmn6ps\appdata\local\microsoft\windows\inetcache\ie\gy9r3u9a\w[1].htm 0.17 KB (172 bytes) MD5: d7fb3e78190127430968c50d9461fd82
SHA1: 192518e17d9ad1461bba00b7e207190c220a568f
SHA256: 0510c0e116492d789f1cd43daf3eb5be7d50158f018ce3a3a48786f46dfd945f
False
Host Behavior
COM (18)
+
Operation Class Interface Additional Information Success Count Logfile
Create WBEMLocator IWbemLocator cls_context = CLSCTX_INPROC_SERVER, CLSCTX_NO_CODE_DOWNLOAD, CLSCTX_NO_FAILURE_LOG True 6
Fn
Execute WBEMLocator IWbemLocator method_name = ConnectServer, network_resource = ROOT\SecurityCenter True 1
Fn
Execute WBEMLocator IWbemServices method_name = ExecQuery True 1
Fn
Execute WBEMLocator IWbemLocator method_name = ConnectServer, network_resource = ROOT\SecurityCenter2 True 1
Fn
Execute WBEMLocator IWbemServices method_name = ExecQuery True 1
Fn
Execute WBEMLocator IWbemLocator method_name = ConnectServer, network_resource = R True 1
Fn
Execute WBEMLocator IWbemServices method_name = ExecQuery, query = S True 1
Fn
Execute WBEMLocator IWbemLocator method_name = ConnectServer, network_resource = ROOT\SecurityCenter2 True 1
Fn
Execute WBEMLocator IWbemServices method_name = ExecQuery, query = S True 1
Fn
Execute WBEMLocator IWbemLocator method_name = ConnectServer, network_resource = R True 1
Fn
Execute WBEMLocator IWbemServices method_name = ExecQuery, query = Select * from FirewallProduct True 1
Fn
Execute WBEMLocator IWbemLocator method_name = ConnectServer, network_resource = ROOT\SecurityCenter2 True 1
Fn
Execute WBEMLocator IWbemServices method_name = ExecQuery, query = Select * from FirewallProduct True 1
Fn
File (489)
+
Operation Filename Additional Information Success Count Logfile
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.tmp desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\containers.exe desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.tmp desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 4
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 4
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\updee12df24.exe desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 11
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 11
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.tmp desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 8
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 8
Fn
Create Pipe pipe\e7cb4c13c5ff510208fe9abc26bb5b59 open_mode = PIPE_ACCESS_INBOUND, PIPE_ACCESS_OUTBOUND, FILE_FLAG_OVERLAPPED, max_instances = 255 True 1
Fn
Get Info C:\Users type = file_attributes True 31
Fn
Get Info C:\Users\CIiHmnxMn6Ps type = file_attributes True 31
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData type = file_attributes True 31
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming type = file_attributes True 31
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia type = file_attributes True 31
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player type = file_attributes True 31
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com type = file_attributes True 31
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support type = file_attributes True 31
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer type = file_attributes True 31
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys type = file_attributes True 31
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix type = size, size_out = 6441 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix type = size, size_out = 7008 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.tmp type = file_attributes True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix type = size, size_out = 7290 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.tmp type = size, size_out = 1587 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix type = size, size_out = 8097 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\containers.exe type = size, size_out = 404480 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix type = size, size_out = 8350 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix type = size, size_out = 8623 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.tmp type = size, size_out = 1587 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix type = size, size_out = 8896 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix type = size, size_out = 9169 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix type = size, size_out = 9383 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix type = size, size_out = 9663 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix type = size, size_out = 9930 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix type = size, size_out = 10255 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix type = size, size_out = 10530 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix type = size, size_out = 10779 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix type = size, size_out = 11042 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix type = size, size_out = 11887 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix type = size, size_out = 12168 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix type = size, size_out = 12417 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix type = size, size_out = 12680 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix type = size, size_out = 12961 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix type = size, size_out = 13208 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix type = size, size_out = 13467 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.tmp type = file_attributes False 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix type = file_attributes True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix type = size, size_out = 14217 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.tmp type = size, size_out = 14217 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix type = size, size_out = 0 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix type = size, size_out = 274 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix type = size, size_out = 522 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix type = size, size_out = 1032 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix type = size, size_out = 1280 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix type = size, size_out = 1537 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix type = size, size_out = 1785 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix type = size, size_out = 2046 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix type = size, size_out = 2295 True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.tmp source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix True 1
Fn
Read C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix size = 6441, size_out = 6441 True 1
Fn
Data
Read C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix size = 7008, size_out = 7008 True 1
Fn
Data
Read C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix size = 7290, size_out = 7290 True 1
Fn
Data
Read C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix size = 8097, size_out = 8097 True 1
Fn
Data
Read C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\containers.exe size = 404480, size_out = 404480 True 1
Fn
Data
Read C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix size = 8350, size_out = 8350 True 1
Fn
Data
Read C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix size = 8623, size_out = 8623 True 1
Fn
Data
Read C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.tmp size = 1587, size_out = 1587 True 1
Fn
Data
Read C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix size = 8896, size_out = 8896 True 1
Fn
Data
Read C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix size = 9169, size_out = 9169 True 1
Fn
Data
Read C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix size = 9383, size_out = 9383 True 1
Fn
Data
Read C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix size = 9663, size_out = 9663 True 1
Fn
Data
Read C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix size = 9930, size_out = 9930 True 1
Fn
Data
Read C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix size = 10255, size_out = 10255 True 1
Fn
Data
Read C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix size = 10530, size_out = 10530 True 1
Fn
Data
Read C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix size = 10779, size_out = 10779 True 1
Fn
Data
Read C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix size = 11042, size_out = 11042 True 1
Fn
Data
Read C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix size = 11887, size_out = 11887 True 1
Fn
Data
Read C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix size = 12168, size_out = 12168 True 1
Fn
Data
Read C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix size = 12417, size_out = 12417 True 1
Fn
Data
Read C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix size = 12680, size_out = 12680 True 1
Fn
Data
Read C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix size = 12961, size_out = 12961 True 1
Fn
Data
Read C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix size = 13208, size_out = 13208 True 1
Fn
Data
Read C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix size = 13467, size_out = 13467 True 1
Fn
Data
Read C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.tmp size = 14217, size_out = 14217 True 1
Fn
Data
Read C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix size = 274, size_out = 274 True 1
Fn
Data
Read C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix size = 522, size_out = 522 True 1
Fn
Data
Read C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix size = 1032, size_out = 1032 True 1
Fn
Data
Read C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix size = 1280, size_out = 1280 True 1
Fn
Data
Read C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix size = 1537, size_out = 1537 True 1
Fn
Data
Read C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix size = 1785, size_out = 1785 True 1
Fn
Data
Read C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix size = 2046, size_out = 2046 True 1
Fn
Data
Read C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix size = 2295, size_out = 2295 True 1
Fn
Data
Write C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix size = 7008 True 1
Fn
Data
Write C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix size = 7290 True 1
Fn
Data
Write C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix size = 7530 True 1
Fn
Data
Write C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix size = 8350 True 1
Fn
Data
Write C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix size = 8623 True 1
Fn
Data
Write C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix size = 8896 True 1
Fn
Data
Write C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix size = 9169 True 1
Fn
Data
Write C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix size = 9383 True 1
Fn
Data
Write C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix size = 9663 True 1
Fn
Data
Write C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix size = 9930 True 1
Fn
Data
Write C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix size = 10255 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\updee12df24.exe size = 303104 True 1
Fn
Data
Write C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix size = 10530 True 1
Fn
Data
Write C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix size = 10779 True 1
Fn
Data
Write C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix size = 11042 True 1
Fn
Data
Write C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix size = 11267 True 1
Fn
Data
Write C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix size = 12168 True 1
Fn
Data
Write C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix size = 12417 True 1
Fn
Data
Write C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix size = 12680 True 1
Fn
Data
Write C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix size = 12961 True 1
Fn
Data
Write C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix size = 13208 True 1
Fn
Data
Write C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix size = 13467 True 1
Fn
Data
Write C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix size = 13746 True 1
Fn
Data
Write C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix size = 274 True 1
Fn
Data
Write C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix size = 522 True 1
Fn
Data
Write C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix size = 779 True 1
Fn
Data
Write C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix size = 1280 True 1
Fn
Data
Write C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix size = 1537 True 1
Fn
Data
Write C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix size = 1785 True 1
Fn
Data
Write C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix size = 2046 True 1
Fn
Data
Write C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix size = 2295 True 1
Fn
Data
Write C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix size = 2556 True 1
Fn
Data
Delete C:\Users\CIIHMN~1\AppData\Local\Temp\updee12df24.exe - False 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.tmp - True 2
Fn
Registry (169)
+
Operation Key Additional Information Success Count Logfile
Create Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi - True 1
Fn
Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows\Currentversion\Run - True 1
Fn
Create Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi - True 1
Fn
Create Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi - True 7
Fn
Open Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi - True 1
Fn
Open Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi - True 2
Fn
Open Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi - True 3
Fn
Open Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi - True 2
Fn
Open Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi - True 1
Fn
Open Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi - True 1
Fn
Open Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi - True 1
Fn
Open Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi - True 1
Fn
Open Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi - True 1
Fn
Open Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi - True 1
Fn
Open Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi - True 3
Fn
Open Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi - True 8
Fn
Open Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi - True 13
Fn
Open Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi - True 12
Fn
Read Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi value_name = Axoha, type = REG_BINARY True 2
Fn
Data
Read Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi value_name = Uzapze, type = REG_BINARY True 2
Fn
Data
Read Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi value_name = Axoha, type = REG_BINARY True 2
Fn
Data
Read Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi value_name = Axoha, type = REG_BINARY True 4
Fn
Data
Read Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi value_name = Uzapze, type = REG_BINARY True 2
Fn
Data
Read Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi value_name = Axoha, type = REG_BINARY True 2
Fn
Data
Read Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi value_name = Uzapze, type = REG_BINARY True 2
Fn
Data
Read Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi value_name = Axoha, type = REG_BINARY True 2
Fn
Data
Read Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi value_name = Axoha, type = REG_BINARY True 2
Fn
Data
Read Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi value_name = Axoha, type = REG_BINARY True 2
Fn
Data
Read Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi value_name = Axoha, type = REG_BINARY True 2
Fn
Data
Read Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi value_name = Uzapze, type = REG_BINARY True 2
Fn
Data
Read Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi value_name = Axoha, type = REG_BINARY True 4
Fn
Data
Read Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi value_name = Uzapze, type = REG_BINARY True 2
Fn
Data
Read Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi value_name = Uzapze, type = REG_BINARY True 10
Fn
Data
Read Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi value_name = Uzapze, type = REG_BINARY True 8
Fn
Data
Read Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi value_name = Axoha, type = REG_BINARY True 18
Fn
Data
Read Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi value_name = Akudfeen, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi value_name = Akudfeen, type = REG_BINARY True 4
Fn
Data
Read Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi value_name = Uzapze, type = REG_BINARY True 2
Fn
Data
Read Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi value_name = Axoha, type = REG_BINARY True 16
Fn
Data
Read Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi value_name = Uzapze, type = REG_BINARY True 8
Fn
Data
Write Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi value_name = Uzapze, size = 1776, type = REG_BINARY True 1
Fn
Data
Write Value HKEY_CURRENT_USER\Software\Microsoft\Windows\Currentversion\Run value_name = containers.exe, data = "C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\containers.exe", size = 236, type = REG_SZ True 1
Fn
Write Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi value_name = Uzapze, size = 1776, type = REG_BINARY True 1
Fn
Data
Write Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi value_name = Uzapze, size = 1776, type = REG_BINARY True 4
Fn
Data
Write Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi value_name = Akudfeen, size = 95680, type = REG_BINARY True 1
Fn
Data
Write Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi value_name = Akudfeen, size = 215872, type = REG_BINARY True 1
Fn
Data
Write Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi value_name = Akudfeen, size = 310112, type = REG_BINARY True 1
Fn
Data
Process (600)
+
Operation Process Additional Information Success Count Logfile
Create "C:\Users\CIIHMN~1\AppData\Local\Temp\updee12df24.exe" -update os_pid = 0xa44, creation_flags = CREATE_DEFAULT_ERROR_MODE, show_window = SW_HIDE True 1
Fn
Open System desired_access = PROCESS_QUERY_INFORMATION False 15
Fn
Open c:\windows\system32\smss.exe desired_access = PROCESS_QUERY_INFORMATION False 15
Fn
Open c:\windows\system32\csrss.exe desired_access = PROCESS_QUERY_INFORMATION False 15
Fn
Open c:\windows\system32\wininit.exe desired_access = PROCESS_QUERY_INFORMATION False 15
Fn
Open c:\windows\system32\csrss.exe desired_access = PROCESS_QUERY_INFORMATION False 15
Fn
Open c:\windows\system32\winlogon.exe desired_access = PROCESS_QUERY_INFORMATION False 15
Fn
Open c:\windows\system32\services.exe desired_access = PROCESS_QUERY_INFORMATION False 15
Fn
Open c:\windows\system32\lsass.exe desired_access = PROCESS_QUERY_INFORMATION False 15
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_QUERY_INFORMATION False 15
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_QUERY_INFORMATION False 15
Fn
Open c:\windows\system32\dwm.exe desired_access = PROCESS_QUERY_INFORMATION False 15
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_QUERY_INFORMATION False 15
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_QUERY_INFORMATION False 15
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_QUERY_INFORMATION False 15
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_QUERY_INFORMATION False 15
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_QUERY_INFORMATION False 15
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_QUERY_INFORMATION False 15
Fn
Open c:\windows\system32\spoolsv.exe desired_access = PROCESS_QUERY_INFORMATION False 15
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_QUERY_INFORMATION False 15
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_QUERY_INFORMATION False 15
Fn
Open c:\program files (x86)\common files\adobe\arm\1.0\armsvc.exe desired_access = PROCESS_QUERY_INFORMATION False 15
Fn
Open c:\program files\common files\microsoft shared\clicktorun\officeclicktorun.exe desired_access = PROCESS_QUERY_INFORMATION False 15
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_QUERY_INFORMATION False 15
Fn
Open c:\windows\system32\taskhostw.exe desired_access = PROCESS_QUERY_INFORMATION True 2
Fn
Open c:\windows\system32\taskhostw.exe desired_access = PROCESS_QUERY_INFORMATION True 2
Fn
Open c:\windows\explorer.exe desired_access = PROCESS_QUERY_INFORMATION True 2
Fn
Open c:\windows\system32\runtimebroker.exe desired_access = PROCESS_QUERY_INFORMATION True 2
Fn
Open c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe desired_access = PROCESS_QUERY_INFORMATION True 2
Fn
Open c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe desired_access = PROCESS_QUERY_INFORMATION True 2
Fn
Open c:\program files\microsoft office\root\office16\onenotem.exe desired_access = PROCESS_QUERY_INFORMATION True 2
Fn
Open c:\windows\system32\wbem\wmiprvse.exe desired_access = PROCESS_QUERY_INFORMATION False 11
Fn
Open c:\windows\system32\dllhost.exe desired_access = PROCESS_QUERY_INFORMATION True 2
Fn
Open c:\windows\syswow64\svchost.exe desired_access = PROCESS_QUERY_INFORMATION True 2
Fn
Open c:\windows\system32\taskhostw.exe desired_access = PROCESS_QUERY_INFORMATION True 4
Fn
Open c:\windows\system32\taskhostw.exe desired_access = PROCESS_QUERY_INFORMATION True 4
Fn
Open c:\windows\explorer.exe desired_access = PROCESS_QUERY_INFORMATION True 4
Fn
Open c:\windows\system32\runtimebroker.exe desired_access = PROCESS_QUERY_INFORMATION True 4
Fn
Open c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe desired_access = PROCESS_QUERY_INFORMATION True 4
Fn
Open c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe desired_access = PROCESS_QUERY_INFORMATION True 4
Fn
Open c:\program files\microsoft office\root\office16\onenotem.exe desired_access = PROCESS_QUERY_INFORMATION True 4
Fn
Open c:\windows\syswow64\svchost.exe desired_access = PROCESS_QUERY_INFORMATION True 4
Fn
Open c:\windows\syswow64\msiexec.exe desired_access = PROCESS_QUERY_INFORMATION True 4
Fn
Open c:\windows\syswow64\msiexec.exe desired_access = PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_DUP_HANDLE, PROCESS_QUERY_INFORMATION, PROCESS_SUSPEND_RESUME True 1
Fn
Open c:\windows\system32\taskhostw.exe desired_access = PROCESS_QUERY_INFORMATION True 24
Fn
Open c:\windows\system32\taskhostw.exe desired_access = PROCESS_QUERY_INFORMATION True 21
Fn
Open c:\windows\explorer.exe desired_access = PROCESS_QUERY_INFORMATION True 21
Fn
Open c:\windows\system32\runtimebroker.exe desired_access = PROCESS_QUERY_INFORMATION True 21
Fn
Open c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe desired_access = PROCESS_QUERY_INFORMATION True 21
Fn
Open c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe desired_access = PROCESS_QUERY_INFORMATION True 20
Fn
Open c:\program files\microsoft office\root\office16\onenotem.exe desired_access = PROCESS_QUERY_INFORMATION True 20
Fn
Open c:\windows\syswow64\svchost.exe desired_access = PROCESS_QUERY_INFORMATION True 20
Fn
Open c:\windows\syswow64\msiexec.exe desired_access = PROCESS_QUERY_INFORMATION True 20
Fn
Thread (1)
+
Operation Process Additional Information Success Count Logfile
Create c:\windows\syswow64\msiexec.exe proc_address = 0x46b50c, proc_parameter = 0, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Memory (5)
+
Operation Process Additional Information Success Count Logfile
Allocate c:\windows\syswow64\msiexec.exe address = 0x460000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 131072 True 1
Fn
Write c:\windows\syswow64\msiexec.exe address = 0x460000, size = 131072 True 1
Fn
Data
Write c:\windows\syswow64\msiexec.exe address = 0x47b6a4, size = 4 True 1
Fn
Data
Write c:\windows\syswow64\msiexec.exe address = 0x47b7c0, size = 4 True 1
Fn
Data
Write c:\windows\syswow64\msiexec.exe address = 0x47bdb4, size = 4 True 1
Fn
Data
Module (54)
+
Operation Module Additional Information Success Count Logfile
Load KERNEL32.dll base_address = 0x74990000 True 1
Fn
Load USER32.dll base_address = 0x75c90000 True 1
Fn
Load NTDLL base_address = 0x777a0000 True 6
Fn
Load advapi32.dll base_address = 0x757f0000 True 1
Fn
Load shlwapi.dll base_address = 0x77410000 True 1
Fn
Load psapi.dll base_address = 0x75780000 True 1
Fn
Load secur32.dll base_address = 0x745b0000 True 1
Fn
Load SSPICLI base_address = 0x748b0000 True 1
Fn
Load wininet.dll base_address = 0x74240000 True 1
Fn
Load crypt32.dll base_address = 0x75510000 True 1
Fn
Load urlmon.dll base_address = 0x74630000 True 2
Fn
Load ole32.dll base_address = 0x75690000 True 1
Fn
Load api-ms-win-core-com-l1-1-0 base_address = 0x75a90000 True 4
Fn
Get Handle advapi32.dll base_address = 0x0 False 1
Fn
Get Handle shlwapi.dll base_address = 0x0 False 1
Fn
Get Handle psapi.dll base_address = 0x0 False 1
Fn
Get Handle secur32.dll base_address = 0x0 False 1
Fn
Get Handle c:\windows\syswow64\oleaut32.dll base_address = 0x75dd0000 True 1
Fn
Get Filename psapi.dll process_name = c:\windows\syswow64\svchost.exe, file_name_orig = C:\Windows\SysWOW64\svchost.exe, size = 260 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InterlockedExchange, address_out = 0x749a7650 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapCreate, address_out = 0x749a9950 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapFree, address_out = 0x749a25e0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapReAlloc, address_out = 0x777dbae0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapAlloc, address_out = 0x777dda90 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapDestroy, address_out = 0x749ad940 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetProcessHeap, address_out = 0x749a7910 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InterlockedIncrement, address_out = 0x749a7520 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleHandleA, address_out = 0x749a9640 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = Sleep, address_out = 0x749a77b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LoadLibraryA, address_out = 0x749ad8d0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LoadLibraryW, address_out = 0x749aa0b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetProcAddress, address_out = 0x749a7940 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleHandleW, address_out = 0x749a9660 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = LoadImageW, address_out = 0x75cc4500 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = RtlAddVectoredExceptionHandler, address_out = 0x777ff090 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = RtlInitializeCriticalSection, address_out = 0x777f95f0 True 1
Fn
Get Address c:\windows\syswow64\sspicli.dll function = GetUserNameExW, address_out = 0x748bc5f0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = RtlEnterCriticalSection, address_out = 0x777e5e80 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = RtlLeaveCriticalSection, address_out = 0x777e5e00 True 1
Fn
Get Address c:\windows\syswow64\combase.dll function = CoInitializeEx, address_out = 0x75afcd50 True 1
Fn
Get Address c:\windows\syswow64\combase.dll function = CoCreateInstance, address_out = 0x75b38200 True 1
Fn
Get Address c:\windows\syswow64\combase.dll function = CoSetProxyBlanket, address_out = 0x75b586d0 True 1
Fn
Get Address c:\windows\syswow64\combase.dll function = CoUninitialize, address_out = 0x75afdca0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = RtlRemoveVectoredExceptionHandler, address_out = 0x777c8870 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = RtlDeleteCriticalSection, address_out = 0x777f9920 True 1
Fn
System (276)
+
Operation Additional Information Success Count Logfile
Sleep duration = -1 (infinite) True 52
Fn
Sleep duration = 300000 milliseconds (300.000 seconds) True 2
Fn
Sleep duration = 20000 milliseconds (20.000 seconds) True 1
Fn
Get Time type = Local Time, time = 2017-11-30 14:37:52 (Local Time) True 3
Fn
Get Time type = System Time, time = 2017-11-30 03:37:52 (UTC) True 3
Fn
Get Time type = System Time, time = 2017-11-30 03:37:53 (UTC) True 6
Fn
Get Time type = Local Time, time = 2017-11-30 14:37:53 (Local Time) True 1
Fn
Get Time type = Ticks, time = 47031 True 1
Fn
Get Time type = System Time, time = 2017-11-30 03:37:59 (UTC) True 5
Fn
Get Time type = System Time, time = 2017-11-30 03:38:00 (UTC) True 6
Fn
Get Time type = System Time, time = 2017-11-30 03:38:01 (UTC) True 4
Fn
Get Time type = System Time, time = 2017-11-30 03:38:02 (UTC) True 4
Fn
Get Time type = System Time, time = 2017-11-30 03:38:03 (UTC) True 1
Fn
Get Time type = System Time, time = 2017-11-30 03:38:27 (UTC) True 2
Fn
Get Time type = System Time, time = 2017-11-30 03:38:28 (UTC) True 6
Fn
Get Time type = System Time, time = 2017-11-30 03:38:29 (UTC) True 6
Fn
Get Info type = Operating System False 140
Fn
Get Info type = Hardware Information True 3
Fn
Get Info type = SYSTEM_PROCESS_INFORMATION False 15
Fn
Get Info type = SYSTEM_PROCESS_INFORMATION True 15
Fn
Mutex (102)
+
Operation Additional Information Success Count Logfile
Create mutex_name = 8EB663269EDB2551D78D6BE980D8D1D5 True 1
Fn
Create mutex_name = BA375714EF21E8EC8F43FB71FA3700CC True 1
Fn
Create mutex_name = 3A05CFF4EB7DE2EF8F3985678370FA5D True 1
Fn
Create mutex_name = 99DCC4F63896BA52D9D5D3F7098E00E5 True 1
Fn
Create mutex_name = BA375714EF21E8EC8F43FB71FA3700CC True 1
Fn
Create mutex_name = 55A4DE17653FCFB535BFCEB7986C3B1D True 1
Fn
Create mutex_name = BA375714EF21E8EC8F43FB71FA3700CC True 1
Fn
Create mutex_name = 843724E431E9542E94836F8E62819404 True 1
Fn
Create mutex_name = ACD86ED691154353041C7827C4241C0D True 1
Fn
Create mutex_name = BA6E0713253533C2BD32E023F51DAAB1 True 1
Fn
Create mutex_name = BA375714EF21E8EC8F43FB71FA3700CC True 1
Fn
Create mutex_name = BA375714EF21E8EC8F43FB71FA3700CC True 1
Fn
Create mutex_name = BA375714EF21E8EC8F43FB71FA3700CC True 1
Fn
Create mutex_name = BA375714EF21E8EC8F43FB71FA3700CC True 1
Fn
Create mutex_name = BA375714EF21E8EC8F43FB71FA3700CC True 4
Fn
Create mutex_name = BA375714EF21E8EC8F43FB71FA3700CC True 1
Fn
Create mutex_name = BA375714EF21E8EC8F43FB71FA3700CC True 12
Fn
Create mutex_name = 690CE47B932790ABBAE4486C8750D5B2 True 2
Fn
Create mutex_name = 1F6114CF197C565BFF427879E00139DA True 3
Fn
Create mutex_name = 690CE47B932790ABBAE4486C8750D5B2 True 12
Fn
Create mutex_name = BA375714EF21E8EC8F43FB71FA3700CC True 8
Fn
Release mutex_name = BA375714EF21E8EC8F43FB71FA3700CC True 1
Fn
Release mutex_name = 99DCC4F63896BA52D9D5D3F7098E00E5 True 1
Fn
Release mutex_name = BA375714EF21E8EC8F43FB71FA3700CC True 1
Fn
Release mutex_name = BA375714EF21E8EC8F43FB71FA3700CC True 1
Fn
Release mutex_name = BA375714EF21E8EC8F43FB71FA3700CC True 1
Fn
Release mutex_name = BA375714EF21E8EC8F43FB71FA3700CC True 1
Fn
Release mutex_name = BA375714EF21E8EC8F43FB71FA3700CC True 1
Fn
Release mutex_name = BA375714EF21E8EC8F43FB71FA3700CC True 1
Fn
Release - True 1
Fn
Release mutex_name = BA375714EF21E8EC8F43FB71FA3700CC True 4
Fn
Release mutex_name = BA375714EF21E8EC8F43FB71FA3700CC True 1
Fn
Release mutex_name = BA375714EF21E8EC8F43FB71FA3700CC True 16
Fn
Release mutex_name = 1F6114CF197C565BFF427879E00139DA True 3
Fn
Release mutex_name = BA6E0713253533C2BD32E023F51DAAB1 True 1
Fn
Release mutex_name = 843724E431E9542E94836F8E62819404 True 1
Fn
Release mutex_name = ACD86ED691154353041C7827C4241C0D True 1
Fn
Release mutex_name = 3A05CFF4EB7DE2EF8F3985678370FA5D True 1
Fn
Release mutex_name = BA375714EF21E8EC8F43FB71FA3700CC True 8
Fn
Release mutex_name = 55A4DE17653FCFB535BFCEB7986C3B1D True 1
Fn
Network Behavior
HTTP Sessions (13)
+
Information Value
Total Data Sent 8.49 KB (8698 bytes)
Total Data Received 1.14 MB (1194783 bytes)
Contacted Host Count 2
Contacted Hosts 330f35e9f647.loan, google.com
HTTP Session #1
+
Information Value
User Agent Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Server Name 330f35e9f647.loan
Server Port 443
Data Sent 0.69 KB (706 bytes)
Data Received 571.98 KB (585712 bytes)
Operations
Operation Additional Information Success Count Logfile
Open Session user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729), access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = HTTP, server_name = 330f35e9f647.loan, server_port = 443 True 1
Fn
Open HTTP Request http_verb = POST, http_version = HTTP 1.1, target_resource = /8C1SLhHn/2_/8tA/E/H/Fbk/8JMoO2Tv/9/2Kg, accept_types = 81297408, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_HYPERLINK, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Send HTTP Request headers = Connection: close , url = 330f35e9f647.loan/8C1SLhHn/2_/8tA/E/H/Fbk/8JMoO2Tv/9/2Kg False 1
Fn
Send HTTP Request headers = Connection: close , url = 330f35e9f647.loan/8C1SLhHn/2_/8tA/E/H/Fbk/8JMoO2Tv/9/2Kg True 1
Fn
Data
Query HTTP Info flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 3
Fn
Data
Read Response size = 4096, size_out = 3883 True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 12
Fn
Data
Read Response size = 4096, size_out = 4087 True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 15
Fn
Data
Read Response size = 4096, size_out = 4087 True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 15
Fn
Data
Read Response size = 4096, size_out = 4087 True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 15
Fn
Data
Read Response size = 4096, size_out = 4088 True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 7
Fn
Data
Read Response size = 4096, size_out = 4088 True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 7
Fn
Data
Read Response size = 4096, size_out = 4088 True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 7
Fn
Data
Read Response size = 4096, size_out = 4087 True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 54
Fn
Data
Read Response size = 4096, size_out = 253 True 1
Fn
Data
Read Response size = 4096, size_out = 0 True 1
Fn
Close Session - True 2
Fn
HTTP Session #2
+
Information Value
User Agent Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Server Name 330f35e9f647.loan
Server Port 443
Data Sent 0.68 KB (700 bytes)
Data Received 0.19 KB (196 bytes)
Operations
Operation Additional Information Success Count Logfile
Open Session user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729), access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = HTTP, server_name = 330f35e9f647.loan, server_port = 443 True 1
Fn
Open HTTP Request http_verb = POST, http_version = HTTP 1.1, target_resource = /pW6teVTI/k-sq/J/2j7/cmhBJoSRZ8F/qDQ, accept_types = 81297408, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_HYPERLINK, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Send HTTP Request headers = Connection: close , url = 330f35e9f647.loan/pW6teVTI/k-sq/J/2j7/cmhBJoSRZ8F/qDQ False 1
Fn
Send HTTP Request headers = Connection: close , url = 330f35e9f647.loan/pW6teVTI/k-sq/J/2j7/cmhBJoSRZ8F/qDQ True 1
Fn
Data
Query HTTP Info flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 True 1
Fn
Data
Read Response size = 4096, size_out = 192 True 1
Fn
Data
Read Response size = 4096, size_out = 0 True 1
Fn
Close Session - True 9
Fn
HTTP Session #3
+
Information Value
User Agent Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Server Name google.com
Server Port 80
Data Sent 0.29 KB (300 bytes)
Data Received 43.26 KB (44303 bytes)
Operations
Operation Additional Information Success Count Logfile
Open Session user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729), access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = HTTP, server_name = google.com, server_port = 80 True 1
Fn
Open HTTP Request http_verb = GET, http_version = HTTP 1.1, target_resource = /, accept_types = 81297408, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_HYPERLINK, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Send HTTP Request headers = Connection: close , url = google.com/ True 1
Fn
Query HTTP Info flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 10
Fn
Data
Read Response size = 4096, size_out = 3339 True 1
Fn
Data
Read Response size = 4096, size_out = 0 True 1
Fn
Close Session - True 2
Fn
HTTP Session #4
+
Information Value
User Agent Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Server Name 330f35e9f647.loan
Server Port 443
Data Sent 0.69 KB (702 bytes)
Data Received 0.09 KB (92 bytes)
Operations
Operation Additional Information Success Count Logfile
Open Session user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729), access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = HTTP, server_name = 330f35e9f647.loan, server_port = 443 True 1
Fn
Open HTTP Request http_verb = POST, http_version = HTTP 1.1, target_resource = /xnecdWiG1/m9/J5MGn6/T/2YACd/yAYfNpLQ, accept_types = 81297408, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_HYPERLINK, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Send HTTP Request headers = Connection: close , url = 330f35e9f647.loan/xnecdWiG1/m9/J5MGn6/T/2YACd/yAYfNpLQ False 1
Fn
Send HTTP Request headers = Connection: close , url = 330f35e9f647.loan/xnecdWiG1/m9/J5MGn6/T/2YACd/yAYfNpLQ True 1
Fn
Data
Query HTTP Info flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 True 1
Fn
Data
Read Response size = 4096, size_out = 88 True 1
Fn
Data
Read Response size = 4096, size_out = 0 True 1
Fn
Close Session - True 2
Fn
HTTP Session #5
+
Information Value
User Agent Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Server Name 330f35e9f647.loan
Server Port 443
Data Sent 0.68 KB (700 bytes)
Data Received 0.19 KB (196 bytes)
Operations
Operation Additional Information Success Count Logfile
Open Session user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729), access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = HTTP, server_name = 330f35e9f647.loan, server_port = 443 True 1
Fn
Open HTTP Request http_verb = POST, http_version = HTTP 1.1, target_resource = /SEP4vYw6/sPlMZ/3/v0URdi/NOLRdM5J/cg, accept_types = 81297408, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_HYPERLINK, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Send HTTP Request headers = Connection: close , url = 330f35e9f647.loan/SEP4vYw6/sPlMZ/3/v0URdi/NOLRdM5J/cg False 1
Fn
Send HTTP Request headers = Connection: close , url = 330f35e9f647.loan/SEP4vYw6/sPlMZ/3/v0URdi/NOLRdM5J/cg True 1
Fn
Data
Query HTTP Info flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 True 1
Fn
Data
Read Response size = 4096, size_out = 192 True 1
Fn
Data
Read Response size = 4096, size_out = 0 True 1
Fn
Close Session - True 9
Fn
HTTP Session #6
+
Information Value
User Agent Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Server Name 330f35e9f647.loan
Server Port 443
Data Sent 0.68 KB (694 bytes)
Data Received 170.03 KB (174108 bytes)
Operations
Operation Additional Information Success Count Logfile
Open Session user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729), access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = HTTP, server_name = 330f35e9f647.loan, server_port = 443 True 1
Fn
Open HTTP Request http_verb = POST, http_version = HTTP 1.1, target_resource = /NrY/r/c5FHX/_/0aFNoP8C8TO/VnC/g/, accept_types = 81297408, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_HYPERLINK, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Send HTTP Request headers = Connection: close , url = 330f35e9f647.loan/NrY/r/c5FHX/_/0aFNoP8C8TO/VnC/g/ False 1
Fn
Send HTTP Request headers = Connection: close , url = 330f35e9f647.loan/NrY/r/c5FHX/_/0aFNoP8C8TO/VnC/g/ True 1
Fn
Data
Query HTTP Info flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 3
Fn
Data
Read Response size = 4096, size_out = 3883 True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 12
Fn
Data
Read Response size = 4096, size_out = 4087 True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 15
Fn
Data
Read Response size = 4096, size_out = 4088 True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 9
Fn
Data
Read Response size = 4096, size_out = 2302 True 1
Fn
Data
Read Response size = 4096, size_out = 0 True 1
Fn
Close Session - True 2
Fn
HTTP Session #7
+
Information Value
User Agent Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Server Name 330f35e9f647.loan
Server Port 443
Data Sent 0.68 KB (698 bytes)
Data Received 213.42 KB (218544 bytes)
Operations
Operation Additional Information Success Count Logfile
Open Session user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729), access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = HTTP, server_name = 330f35e9f647.loan, server_port = 443 True 1
Fn
Open HTTP Request http_verb = POST, http_version = HTTP 1.1, target_resource = /9piYZTuz9/2sx1Clf5U1sISMKMW81/q/MQ, accept_types = 81297408, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_HYPERLINK, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Send HTTP Request headers = Connection: close , url = 330f35e9f647.loan/9piYZTuz9/2sx1Clf5U1sISMKMW81/q/MQ False 1
Fn
Send HTTP Request headers = Connection: close , url = 330f35e9f647.loan/9piYZTuz9/2sx1Clf5U1sISMKMW81/q/MQ True 1
Fn
Data
Query HTTP Info flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 3
Fn
Data
Read Response size = 4096, size_out = 3883 True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 12
Fn
Data
Read Response size = 4096, size_out = 4087 True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 15
Fn
Data
Read Response size = 4096, size_out = 4087 True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 20
Fn
Data
Read Response size = 4096, size_out = 1683 True 1
Fn
Data
Read Response size = 4096, size_out = 0 True 1
Fn
Close Session - True 9
Fn
HTTP Session #8
+
Information Value
User Agent Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Server Name 330f35e9f647.loan
Server Port 443
Data Sent 0.67 KB (690 bytes)
Data Received 167.50 KB (171524 bytes)
Operations
Operation Additional Information Success Count Logfile
Open Session user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729), access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = HTTP, server_name = 330f35e9f647.loan, server_port = 443 True 1
Fn
Open HTTP Request http_verb = POST, http_version = HTTP 1.1, target_resource = /l6yH/j4/plG2GbX2ldR8utbqF/HD/A, accept_types = 81297408, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_HYPERLINK, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Send HTTP Request headers = Connection: close , url = 330f35e9f647.loan/l6yH/j4/plG2GbX2ldR8utbqF/HD/A False 1
Fn
Send HTTP Request headers = Connection: close , url = 330f35e9f647.loan/l6yH/j4/plG2GbX2ldR8utbqF/HD/A True 1
Fn
Data
Query HTTP Info flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 3
Fn
Data
Read Response size = 4096, size_out = 3883 True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 12
Fn
Data
Read Response size = 4096, size_out = 4087 True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 15
Fn
Data
Read Response size = 4096, size_out = 4088 True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 8
Fn
Data
Read Response size = 4096, size_out = 3814 True 1
Fn
Data
Read Response size = 4096, size_out = 0 True 1
Fn
Close Session - True 9
Fn
HTTP Session #9
+
Information Value
User Agent Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Server Name 330f35e9f647.loan
Server Port 443
Data Sent 0.69 KB (708 bytes)
Data Received 0.09 KB (92 bytes)
Operations
Operation Additional Information Success Count Logfile
Open Session user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729), access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = HTTP, server_name = 330f35e9f647.loan, server_port = 443 True 1
Fn
Open HTTP Request http_verb = POST, http_version = HTTP 1.1, target_resource = /WJFCdFULD/tP/ZaEGn/rc/211/J/v/ijQ/fN4EQ, accept_types = 81297408, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_HYPERLINK, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Send HTTP Request headers = Connection: close , url = 330f35e9f647.loan/WJFCdFULD/tP/ZaEGn/rc/211/J/v/ijQ/fN4EQ False 1
Fn
Send HTTP Request headers = Connection: close , url = 330f35e9f647.loan/WJFCdFULD/tP/ZaEGn/rc/211/J/v/ijQ/fN4EQ True 1
Fn
Data
Query HTTP Info flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 True 1
Fn
Data
Read Response size = 4096, size_out = 88 True 1
Fn
Data
Read Response size = 4096, size_out = 0 True 1
Fn
Close Session - True 9
Fn
HTTP Session #10
+
Information Value
User Agent Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Server Name 330f35e9f647.loan
Server Port 443
Data Sent 0.68 KB (698 bytes)
Data Received 0.00 KB (4 bytes)
Operations
Operation Additional Information Success Count Logfile
Open Session user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729), access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = HTTP, server_name = 330f35e9f647.loan, server_port = 443 True 1
Fn
Open HTTP Request http_verb = POST, http_version = HTTP 1.1, target_resource = /cIh/g/P/V0METF/RW/hZEvuN/Yd5W/J/w/, accept_types = 81297408, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_HYPERLINK, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Send HTTP Request headers = Connection: close , url = 330f35e9f647.loan/cIh/g/P/V0METF/RW/hZEvuN/Yd5W/J/w/ False 1
Fn
Send HTTP Request headers = Connection: close , url = 330f35e9f647.loan/cIh/g/P/V0METF/RW/hZEvuN/Yd5W/J/w/ True 1
Fn
Data
Query HTTP Info flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 True 1
Fn
Data
Close Session - True 9
Fn
HTTP Session #11
+
Information Value
User Agent Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Server Name 330f35e9f647.loan
Server Port 443
Data Sent 0.69 KB (702 bytes)
Data Received 0.00 KB (4 bytes)
Operations
Operation Additional Information Success Count Logfile
Open Session user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729), access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = HTTP, server_name = 330f35e9f647.loan, server_port = 443 True 1
Fn
Open HTTP Request http_verb = POST, http_version = HTTP 1.1, target_resource = /sTx52Lxwi/k/OhkZ/j_hXlZYAu/ad/N6VyPA, accept_types = 81297408, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_HYPERLINK, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Send HTTP Request headers = Connection: close , url = 330f35e9f647.loan/sTx52Lxwi/k/OhkZ/j_hXlZYAu/ad/N6VyPA False 1
Fn
Send HTTP Request headers = Connection: close , url = 330f35e9f647.loan/sTx52Lxwi/k/OhkZ/j_hXlZYAu/ad/N6VyPA True 1
Fn
Data
Query HTTP Info flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 True 1
Fn
Data
Close Session - True 9
Fn
HTTP Session #12
+
Information Value
User Agent Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Server Name 330f35e9f647.loan
Server Port 443
Data Sent 0.68 KB (698 bytes)
Data Received 0.00 KB (4 bytes)
Operations
Operation Additional Information Success Count Logfile
Open Session user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729), access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = HTTP, server_name = 330f35e9f647.loan, server_port = 443 True 1
Fn
Open HTTP Request http_verb = POST, http_version = HTTP 1.1, target_resource = /TkN2Lgy/t9dSY/UHKX3/Va/P4CpZe5q/Lw, accept_types = 81297408, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_HYPERLINK, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Send HTTP Request headers = Connection: close , url = 330f35e9f647.loan/TkN2Lgy/t9dSY/UHKX3/Va/P4CpZe5q/Lw False 1
Fn
Send HTTP Request headers = Connection: close , url = 330f35e9f647.loan/TkN2Lgy/t9dSY/UHKX3/Va/P4CpZe5q/Lw True 1
Fn
Data
Query HTTP Info flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 True 1
Fn
Data
Close Session - True 9
Fn
HTTP Session #13
+
Information Value
User Agent Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Server Name 330f35e9f647.loan
Server Port 443
Data Sent 0.69 KB (702 bytes)
Data Received 0.00 KB (4 bytes)
Operations
Operation Additional Information Success Count Logfile
Open Session user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729), access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = HTTP, server_name = 330f35e9f647.loan, server_port = 443 True 1
Fn
Open HTTP Request http_verb = POST, http_version = HTTP 1.1, target_resource = /3qeDwipy/0M/15F3rEV/lgCANe/hdf5/O/PQ, accept_types = 81297408, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_HYPERLINK, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Send HTTP Request headers = Connection: close , url = 330f35e9f647.loan/3qeDwipy/0M/15F3rEV/lgCANe/hdf5/O/PQ False 1
Fn
Send HTTP Request headers = Connection: close , url = 330f35e9f647.loan/3qeDwipy/0M/15F3rEV/lgCANe/hdf5/O/PQ True 1
Fn
Data
Query HTTP Info flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 True 1
Fn
Data
Close Session - True 9
Fn
Process #9: svchost.exe
(Host: 132, Network: 0)
+
Information Value
ID #9
File Name c:\windows\syswow64\svchost.exe
Command Line C:\Windows\SysWOW64\svchost.exe -k netsvcs
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:02:57, Reason: Child Process
Unmonitor End Time: 00:15:27, Reason: Terminated by Timeout
Monitor Duration 00:12:30
OS Process Information
+
Information Value
PID 0x4e4
Parent PID 0x920 (c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\containers.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username LHNIWSJ\CIiHmnxMn6Ps
Groups
  • LHNIWSJ\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Local account and member of Administrators group (USE_FOR_DENY_ONLY)
  • BUILTIN\Administrators (USE_FOR_DENY_ONLY)
  • BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Local account (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Logon Session 00000000:0001400a (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID)
  • LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x BE0
0x BEC
0x 2E4
0x 848
0x 988
0x BF8
0x 4F0
0x 86C
0x 7BC
0x A88
0x A78
Region
+
Name Start VA End VA Type Permissions Monitored Dump YARA Match Actions
svchost.exe 0x000c0000 0x000cafff Memory Mapped File Readable, Writable, Executable False False False
pagefile_0x0000000000900000 0x00900000 0x048fffff Pagefile Backed Memory - True False False
private_0x0000000004900000 0x04900000 0x0491ffff Private Memory Readable, Writable True False False
pagefile_0x0000000004900000 0x04900000 0x0490ffff Pagefile Backed Memory Readable, Writable True False False
svchost.exe.mui 0x04910000 0x04910fff Memory Mapped File Readable False False False
private_0x0000000004920000 0x04920000 0x04921fff Private Memory Readable, Writable True False False
private_0x0000000004920000 0x04920000 0x04920fff Private Memory Readable, Writable True False False
pagefile_0x0000000004930000 0x04930000 0x04943fff Pagefile Backed Memory Readable True False False
private_0x0000000004950000 0x04950000 0x0498ffff Private Memory Readable, Writable True False False
private_0x0000000004990000 0x04990000 0x049cffff Private Memory Readable, Writable True False False
pagefile_0x00000000049d0000 0x049d0000 0x049d3fff Pagefile Backed Memory Readable True False False
pagefile_0x00000000049e0000 0x049e0000 0x049e0fff Pagefile Backed Memory Readable True False False
private_0x00000000049f0000 0x049f0000 0x049f1fff Private Memory Readable, Writable True False False
private_0x0000000004a00000 0x04a00000 0x04a1ffff Private Memory Readable, Writable, Executable True False False
private_0x0000000004a20000 0x04a20000 0x04a5ffff Private Memory Readable, Writable True False False
private_0x0000000004a60000 0x04a60000 0x04a9ffff Private Memory Readable, Writable True False False
private_0x0000000004aa0000 0x04aa0000 0x04adffff Private Memory Readable, Writable True False False
imm32.dll 0x04ae0000 0x04b09fff Memory Mapped File Readable False False False
private_0x0000000004ae0000 0x04ae0000 0x04ae0fff Private Memory Readable, Writable True False False
private_0x0000000004af0000 0x04af0000 0x04af0fff Private Memory Readable, Writable, Executable True False False
private_0x0000000004b00000 0x04b00000 0x04b01fff Private Memory Readable, Writable True False False
private_0x0000000004b00000 0x04b00000 0x04b00fff Private Memory Readable, Writable True False False
private_0x0000000004b10000 0x04b10000 0x04b13fff Private Memory Readable, Writable True False False
locale.nls 0x04b20000 0x04bddfff Memory Mapped File Readable False False False
private_0x0000000004be0000 0x04be0000 0x04c1ffff Private Memory Readable, Writable True False False
private_0x0000000004c80000 0x04c80000 0x04c86fff Private Memory Readable, Writable True False False
private_0x0000000004c90000 0x04c90000 0x04ccffff Private Memory Readable, Writable True False False
private_0x0000000004d00000 0x04d00000 0x04dfffff Private Memory Readable, Writable True False False
private_0x0000000004e00000 0x04e00000 0x04efffff Private Memory Readable, Writable True False False
pagefile_0x0000000004f00000 0x04f00000 0x05087fff Pagefile Backed Memory Readable True False False
private_0x0000000005090000 0x05090000 0x05124fff Private Memory Readable, Writable True False False
private_0x0000000005090000 0x05090000 0x050f2fff Private Memory Readable, Writable True False False
private_0x0000000005100000 0x05100000 0x05103fff Private Memory Readable, Writable True False False
private_0x0000000005120000 0x05120000 0x05124fff Private Memory Readable, Writable True False False
private_0x0000000005130000 0x05130000 0x0532ffff Private Memory Readable, Writable True False False
private_0x00000000051b0000 0x051b0000 0x051effff Private Memory Readable, Writable True False False
private_0x0000000005200000 0x05200000 0x052fffff Private Memory Readable, Writable True False False
pagefile_0x0000000005300000 0x05300000 0x05480fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000005490000 0x05490000 0x0688ffff Pagefile Backed Memory Readable True False False
private_0x0000000006890000 0x06890000 0x068cffff Private Memory Readable, Writable True False False
private_0x0000000006900000 0x06900000 0x069fffff Private Memory Readable, Writable True False False
sortdefault.nls 0x06a00000 0x06d36fff Memory Mapped File Readable False False False
private_0x0000000006e40000 0x06e40000 0x06f3ffff Private Memory Readable, Writable True False False
private_0x0000000007240000 0x07240000 0x0733ffff Private Memory Readable, Writable True False False
private_0x0000000007340000 0x07340000 0x0737ffff Private Memory Readable, Writable True False False
wow64cpu.dll 0x581b0000 0x581b7fff Memory Mapped File Readable, Writable, Executable False False False
wow64.dll 0x581c0000 0x5820efff Memory Mapped File Readable, Writable, Executable False False False
wow64win.dll 0x58210000 0x58282fff Memory Mapped File Readable, Writable, Executable False False False
ntmarta.dll 0x74470000 0x74497fff Memory Mapped File Readable, Writable, Executable False False False
rsaenh.dll 0x744a0000 0x744cefff Memory Mapped File Readable, Writable, Executable False False False
cryptsp.dll 0x744d0000 0x744e2fff Memory Mapped File Readable, Writable, Executable False False False
secur32.dll 0x745b0000 0x745b9fff Memory Mapped File Readable, Writable, Executable False False False
bcrypt.dll 0x74610000 0x7462afff Memory Mapped File Readable, Writable, Executable False False False
bcryptprimitives.dll 0x74840000 0x74898fff Memory Mapped File Readable, Writable, Executable False False False
cryptbase.dll 0x748a0000 0x748a9fff Memory Mapped File Readable, Writable, Executable False False False
sspicli.dll 0x748b0000 0x748cdfff Memory Mapped File Readable, Writable, Executable False False False
kernel32.dll 0x74990000 0x74a7ffff Memory Mapped File Readable, Writable, Executable False False False
rpcrt4.dll 0x74a80000 0x74b2bfff Memory Mapped File Readable, Writable, Executable False False False
gdi32.dll 0x74d10000 0x74e5cfff Memory Mapped File Readable, Writable, Executable False False False
sechost.dll 0x753a0000 0x753e2fff Memory Mapped File Readable, Writable, Executable False False False
msvcrt.dll 0x753f0000 0x754adfff Memory Mapped File Readable, Writable, Executable False False False
psapi.dll 0x75780000 0x75785fff Memory Mapped File Readable, Writable, Executable False False False
advapi32.dll 0x757f0000 0x7586afff Memory Mapped File Readable, Writable, Executable False False False
combase.dll 0x75a90000 0x75c49fff Memory Mapped File Readable, Writable, Executable False False False
imm32.dll 0x75c60000 0x75c8afff Memory Mapped File Readable, Writable, Executable False False False
user32.dll 0x75c90000 0x75dcffff Memory Mapped File Readable, Writable, Executable False False False
kernelbase.dll 0x75e70000 0x75fe5fff Memory Mapped File Readable, Writable, Executable False False False
shlwapi.dll 0x77410000 0x77453fff Memory Mapped File Readable, Writable, Executable False False False
msctf.dll 0x77680000 0x7779ffff Memory Mapped File Readable, Writable, Executable False False False
ntdll.dll 0x777a0000 0x77918fff Memory Mapped File Readable, Writable, Executable False False False
private_0x000000007f2ab000 0x7f2ab000 0x7f2adfff Private Memory Readable, Writable True False False
private_0x000000007f2ae000 0x7f2ae000 0x7f2b0fff Private Memory Readable, Writable True False False
private_0x000000007f2ba000 0x7f2ba000 0x7f2bcfff Private Memory Readable, Writable True False False
pagefile_0x000000007f2c0000 0x7f2c0000 0x7f3bffff Pagefile Backed Memory Readable True False False
pagefile_0x000000007f3c0000 0x7f3c0000 0x7f3e2fff Pagefile Backed Memory Readable True False False
private_0x000000007f3e4000 0x7f3e4000 0x7f3e4fff Private Memory Readable, Writable True False False
private_0x000000007f3e6000 0x7f3e6000 0x7f3e8fff Private Memory Readable, Writable True False False
private_0x000000007f3e9000 0x7f3e9000 0x7f3ebfff Private Memory Readable, Writable True False False
private_0x000000007f3ec000 0x7f3ec000 0x7f3eefff Private Memory Readable, Writable True False False
private_0x000000007f3ef000 0x7f3ef000 0x7f3effff Private Memory Readable, Writable True False False
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False
private_0x000000007fff0000 0x7fff0000 0x7dfe18a2ffff Private Memory Readable True False False
pagefile_0x00007dfe18a30000 0x7dfe18a30000 0x7ffe18a2ffff Pagefile Backed Memory - True False False
ntdll.dll 0x7ffe18a30000 0x7ffe18bf1fff Memory Mapped File Readable, Writable, Executable False False False
private_0x00007ffe18bf2000 0x7ffe18bf2000 0x7ffffffeffff Private Memory Readable True False False
Injection Information
+
Injection Type Source Process Source Os Thread ID Injection Info Success Count Logfile
Modify Memory #7: c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\containers.exe 0x554 address = 0x4a00000, size = 131072 True 1
Fn
Data
Modify Memory #7: c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\containers.exe 0x554 address = 0x4a1b6a4, size = 4 True 1
Fn
Data
Modify Memory #7: c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\containers.exe 0x554 address = 0x4a1b7c0, size = 4 True 1
Fn
Data
Modify Memory #7: c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\containers.exe 0x554 address = 0x4a1bdb4, size = 4 True 1
Fn
Data
Create Remote Thread #7: c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\containers.exe 0x554 address = 0x4a0b50c True 1
Fn
Host Behavior
File (35)
+
Operation Filename Additional Information Success Count Logfile
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\containers.exe desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Get Info C:\Users type = file_attributes True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps type = file_attributes True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData type = file_attributes True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming type = file_attributes True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia type = file_attributes True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player type = file_attributes True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com type = file_attributes True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support type = file_attributes True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer type = file_attributes True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys type = file_attributes True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix type = size, size_out = 7530 True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\agvufyy type = file_attributes False 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\aduqmaq type = file_attributes False 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix type = size, size_out = 779 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\containers.exe type = size, size_out = 404480 True 1
Fn
Read C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix size = 7530, size_out = 7530 True 1
Fn
Data
Read C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix size = 779, size_out = 779 True 1
Fn
Data
Read C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\containers.exe size = 404480, size_out = 404480 True 1
Fn
Data
Write C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix size = 8097 True 1
Fn
Data
Write C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix size = 1032 True 1
Fn
Data
Registry (26)
+
Operation Key Additional Information Success Count Logfile
Create Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi - True 1
Fn
Create Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi - True 1
Fn
Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows\Currentversion\Run - True 1
Fn
Open Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi - True 1
Fn
Open Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi - True 1
Fn
Open Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi - True 5
Fn
Read Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi value_name = Uzapze, type = REG_BINARY True 2
Fn
Data
Read Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi value_name = Uzapze, type = REG_BINARY True 2
Fn
Data
Read Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi value_name = Uzapze, type = REG_BINARY True 6
Fn
Data
Read Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi value_name = Axoha, type = REG_BINARY True 2
Fn
Data
Read Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi value_name = Akudfeen, type = REG_NONE False 1
Fn
Write Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi value_name = Uzapze, size = 1776, type = REG_BINARY True 1
Fn
Data
Write Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi value_name = Uzapze, size = 1776, type = REG_BINARY True 1
Fn
Data
Write Value HKEY_CURRENT_USER\Software\Microsoft\Windows\Currentversion\Run value_name = containers.exe, data = "C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\containers.exe", size = 236, type = REG_SZ True 1
Fn
Module (40)
+
Operation Module Additional Information Success Count Logfile
Load KERNEL32.dll base_address = 0x74990000 True 1
Fn
Load USER32.dll base_address = 0x75c90000 True 1
Fn
Load NTDLL base_address = 0x777a0000 True 6
Fn
Load advapi32.dll base_address = 0x757f0000 True 1
Fn
Load shlwapi.dll base_address = 0x77410000 True 1
Fn
Load psapi.dll base_address = 0x75780000 True 1
Fn
Load secur32.dll base_address = 0x745b0000 True 1
Fn
Load SSPICLI base_address = 0x748b0000 True 1
Fn
Get Handle advapi32.dll base_address = 0x0 False 1
Fn
Get Handle shlwapi.dll base_address = 0x0 False 1
Fn
Get Handle psapi.dll base_address = 0x0 False 1
Fn
Get Handle secur32.dll base_address = 0x0 False 1
Fn
Get Filename psapi.dll process_name = c:\windows\syswow64\svchost.exe, file_name_orig = C:\Windows\SysWOW64\svchost.exe, size = 260 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InterlockedExchange, address_out = 0x749a7650 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapCreate, address_out = 0x749a9950 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapFree, address_out = 0x749a25e0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapReAlloc, address_out = 0x777dbae0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapAlloc, address_out = 0x777dda90 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapDestroy, address_out = 0x749ad940 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetProcessHeap, address_out = 0x749a7910 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InterlockedIncrement, address_out = 0x749a7520 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleHandleA, address_out = 0x749a9640 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = Sleep, address_out = 0x749a77b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LoadLibraryA, address_out = 0x749ad8d0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LoadLibraryW, address_out = 0x749aa0b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetProcAddress, address_out = 0x749a7940 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleHandleW, address_out = 0x749a9660 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = LoadImageW, address_out = 0x75cc4500 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = RtlAddVectoredExceptionHandler, address_out = 0x777ff090 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = RtlInitializeCriticalSection, address_out = 0x777f95f0 True 1
Fn
Get Address c:\windows\syswow64\sspicli.dll function = GetUserNameExW, address_out = 0x748bc5f0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = RtlEnterCriticalSection, address_out = 0x777e5e80 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = RtlLeaveCriticalSection, address_out = 0x777e5e00 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = RtlRemoveVectoredExceptionHandler, address_out = 0x777c8870 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = RtlDeleteCriticalSection, address_out = 0x777f9920 True 1
Fn
System (10)
+
Operation Additional Information Success Count Logfile
Sleep duration = -1 (infinite) True 3
Fn
Sleep duration = 20000 milliseconds (20.000 seconds) True 1
Fn
Get Time type = Local Time, time = 2017-11-30 14:37:53 (Local Time) True 1
Fn
Get Time type = System Time, time = 2017-11-30 03:37:53 (UTC) True 1
Fn
Get Time type = Local Time, time = 2017-11-30 14:38:28 (Local Time) True 1
Fn
Get Time type = System Time, time = 2017-11-30 03:38:28 (UTC) True 1
Fn
Get Info type = Operating System False 2
Fn
Mutex (13)
+
Operation Additional Information Success Count Logfile
Create mutex_name = 8592029A1BBD0F5EDCA2A860E613ACDB True 1
Fn
Create mutex_name = BA375714EF21E8EC8F43FB71FA3700CC True 1
Fn
Create mutex_name = 99DCC4F63896BA52D9D5D3F7098E00E5 True 1
Fn
Create mutex_name = 99DCC4F63896BA52D9D5D3F7098E00E5 True 1
Fn
Create mutex_name = ACD86ED691154353041C7827C4241C0D True 1
Fn
Create mutex_name = BA6E0713253533C2BD32E023F51DAAB1 True 1
Fn
Create mutex_name = BA375714EF21E8EC8F43FB71FA3700CC True 1
Fn
Release mutex_name = BA375714EF21E8EC8F43FB71FA3700CC True 1
Fn
Release mutex_name = 99DCC4F63896BA52D9D5D3F7098E00E5 True 1
Fn
Release mutex_name = 99DCC4F63896BA52D9D5D3F7098E00E5 True 1
Fn
Release mutex_name = ACD86ED691154353041C7827C4241C0D True 1
Fn
Release mutex_name = BA375714EF21E8EC8F43FB71FA3700CC True 1
Fn
Release mutex_name = BA6E0713253533C2BD32E023F51DAAB1 True 1
Fn
Process #12: updee12df24.exe
(Host: 2087, Network: 0)
+
Information Value
ID #12
File Name c:\users\ciihmn~1\appdata\local\temp\updee12df24.exe
Command Line "C:\Users\CIIHMN~1\AppData\Local\Temp\updee12df24.exe" -update
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:04, Reason: Child Process
Unmonitor End Time: 00:15:27, Reason: Terminated by Timeout
Monitor Duration 00:12:23
OS Process Information
+
Information Value
PID 0xa44
Parent PID 0xad8 (c:\windows\syswow64\svchost.exe)
Is Created or Modified Executable True
Integrity Level Medium
Username LHNIWSJ\CIiHmnxMn6Ps
Groups
  • LHNIWSJ\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Local account and member of Administrators group (USE_FOR_DENY_ONLY)
  • BUILTIN\Administrators (USE_FOR_DENY_ONLY)
  • BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Local account (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Logon Session 00000000:0001400a (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID)
  • LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x A90
0x A54
0x A18
0x A88
0x A9C
0x 84
0x 1B4
0x A6C
Region
+
Name Start VA End VA Type Permissions Monitored Dump YARA Match Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False
private_0x0000000000020000 0x00020000 0x00023fff Private Memory Readable, Writable True False False
private_0x0000000000030000 0x00030000 0x00031fff Private Memory Readable, Writable True False False
private_0x0000000000030000 0x00030000 0x00030fff Private Memory Readable, Writable True False False
pagefile_0x0000000000040000 0x00040000 0x00053fff Pagefile Backed Memory Readable True False False
private_0x0000000000060000 0x00060000 0x0009ffff Private Memory Readable, Writable True False False
private_0x00000000000a0000 0x000a0000 0x0019ffff Private Memory Readable, Writable True False False
pagefile_0x00000000001a0000 0x001a0000 0x001a3fff Pagefile Backed Memory Readable True False False
pagefile_0x00000000001b0000 0x001b0000 0x001b0fff Pagefile Backed Memory Readable True False False
private_0x00000000001c0000 0x001c0000 0x001c1fff Private Memory Readable, Writable True False False
locale.nls 0x001d0000 0x0028dfff Memory Mapped File Readable False False False
private_0x0000000000290000 0x00290000 0x00290fff Private Memory Readable, Writable True False False
msvfw32.dll.mui 0x002a0000 0x002a1fff Memory Mapped File Readable False False False
avicap32.dll.mui 0x002b0000 0x002b2fff Memory Mapped File Readable False False False
private_0x00000000002c0000 0x002c0000 0x002cffff Private Memory Readable, Writable True False False
private_0x00000000002d0000 0x002d0000 0x0030ffff Private Memory Readable, Writable True False False
private_0x0000000000310000 0x00310000 0x0040ffff Private Memory Readable, Writable True False False
private_0x0000000000410000 0x00410000 0x0044ffff Private Memory Readable, Writable True False False
private_0x0000000000450000 0x00450000 0x00453fff Private Memory Readable, Writable True False False
private_0x0000000000460000 0x00460000 0x0047ffff Private Memory Readable, Writable, Executable True False False
private_0x0000000000480000 0x00480000 0x00480fff Private Memory Readable, Writable, Executable True False False
private_0x0000000000490000 0x00490000 0x00492fff Private Memory Readable, Writable True False False
private_0x0000000000490000 0x00490000 0x0049ffff Private Memory Readable, Writable True False False
pagefile_0x0000000000490000 0x00490000 0x00494fff Pagefile Backed Memory Readable, Writable True False False
private_0x0000000000490000 0x00490000 0x00490fff Private Memory Readable, Writable True False False
private_0x00000000004a0000 0x004a0000 0x004a3fff Private Memory Readable, Writable True False False
private_0x00000000004b0000 0x004b0000 0x005affff Private Memory Readable, Writable True False False
pagefile_0x00000000005b0000 0x005b0000 0x00737fff Pagefile Backed Memory Readable True False False
private_0x0000000000740000 0x00740000 0x0083ffff Private Memory Readable, Writable True False False
private_0x0000000000840000 0x00840000 0x0087ffff Private Memory Readable, Writable True False False
private_0x0000000000840000 0x00840000 0x00851fff Private Memory Readable, Writable True False False
private_0x0000000000840000 0x00840000 0x00840fff Private Memory Readable, Writable, Executable True False False
pagefile_0x0000000000840000 0x00840000 0x00840fff Pagefile Backed Memory Readable, Writable True False False
private_0x0000000000850000 0x00850000 0x00853fff Private Memory Readable, Writable True False False
private_0x0000000000850000 0x00850000 0x00851fff Private Memory Readable, Writable True False False
private_0x0000000000860000 0x00860000 0x00863fff Private Memory Readable, Writable True False False
private_0x0000000000870000 0x00870000 0x00873fff Private Memory Readable, Writable True False False
private_0x00000000008a0000 0x008a0000 0x008affff Private Memory Readable, Writable True False False
pagefile_0x00000000008b0000 0x008b0000 0x00a30fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000a40000 0x00a40000 0x01e3ffff Pagefile Backed Memory Readable True False False
private_0x0000000001e40000 0x01e40000 0x01f3ffff Private Memory Readable, Writable True False False
private_0x0000000001f40000 0x01f40000 0x01f7ffff Private Memory Readable, Writable True False False
private_0x0000000001fa0000 0x01fa0000 0x01faffff Private Memory Readable, Writable True False False
private_0x0000000001fc0000 0x01fc0000 0x02017fff Private Memory Readable, Writable, Executable True False False
private_0x0000000002030000 0x02030000 0x0203ffff Private Memory Readable, Writable True False False
private_0x0000000002040000 0x02040000 0x021effff Private Memory Readable, Writable True False False
private_0x0000000002040000 0x02040000 0x0213ffff Private Memory Readable, Writable True False False
private_0x0000000002140000 0x02140000 0x02189fff Private Memory Readable, Writable True False False
private_0x0000000002140000 0x02140000 0x0217ffff Private Memory Readable, Writable True False False
private_0x0000000002180000 0x02180000 0x021bffff Private Memory Readable, Writable True False False
private_0x00000000021e0000 0x021e0000 0x021effff Private Memory Readable, Writable True False False
private_0x00000000021f0000 0x021f0000 0x022effff Private Memory Readable, Writable True False False
private_0x00000000022f0000 0x022f0000 0x023effff Private Memory Readable, Writable True False False
private_0x0000000002390000 0x02390000 0x0241ffff Private Memory Readable, Writable True False False
sortdefault.nls 0x02420000 0x02756fff Memory Mapped File Readable False False False
private_0x0000000002760000 0x02760000 0x0285ffff Private Memory Readable, Writable True False False
private_0x0000000002940000 0x02940000 0x029cffff Private Memory Readable, Writable True False False
updee12df24.exe 0x0d160000 0x0d1aefff Memory Mapped File Readable, Writable, Executable True False False
wow64cpu.dll 0x581b0000 0x581b7fff Memory Mapped File Readable, Writable, Executable False False False
wow64.dll 0x581c0000 0x5820efff Memory Mapped File Readable, Writable, Executable False False False
wow64win.dll 0x58210000 0x58282fff Memory Mapped File Readable, Writable, Executable False False False
devobj.dll 0x736c0000 0x736e0fff Memory Mapped File Readable, Writable, Executable False False False
msacm32.dll 0x736f0000 0x73707fff Memory Mapped File Readable, Writable, Executable False False False
winmmbase.dll 0x73710000 0x73732fff Memory Mapped File Readable, Writable, Executable False False False
winmm.dll 0x73740000 0x73763fff Memory Mapped File Readable, Writable, Executable False False False
msvfw32.dll 0x73770000 0x73792fff Memory Mapped File Readable, Writable, Executable False False False
comctl32.dll 0x737a0000 0x73831fff Memory Mapped File Readable, Writable, Executable False False False
avifil32.dll 0x73870000 0x7388bfff Memory Mapped File Readable, Writable, Executable False False False
apphelp.dll 0x73890000 0x73920fff Memory Mapped File Readable, Writable, Executable False False False
pdh.dll 0x73a10000 0x73a52fff Memory Mapped File Readable, Writable, Executable False False False
avicap32.dll 0x73a60000 0x73a73fff Memory Mapped File Readable, Writable, Executable False False False
iertutil.dll 0x73f70000 0x74230fff Memory Mapped File Readable, Writable, Executable False False False
ntmarta.dll 0x74470000 0x74497fff Memory Mapped File Readable, Writable, Executable False False False
rsaenh.dll 0x744a0000 0x744cefff Memory Mapped File Readable, Writable, Executable False False False
cryptsp.dll 0x744d0000 0x744e2fff Memory Mapped File Readable, Writable, Executable False False False
winnsi.dll 0x74520000 0x74527fff Memory Mapped File Readable, Writable, Executable False False False
uxtheme.dll 0x74530000 0x745a4fff Memory Mapped File Readable, Writable, Executable False False False
secur32.dll 0x745b0000 0x745b9fff Memory Mapped File Readable, Writable, Executable False False False
iphlpapi.dll 0x745c0000 0x745effff Memory Mapped File Readable, Writable, Executable False False False
bcrypt.dll 0x74610000 0x7462afff Memory Mapped File Readable, Writable, Executable False False False
urlmon.dll 0x74630000 0x7478ffff Memory Mapped File Readable, Writable, Executable False False False
bcryptprimitives.dll 0x74840000 0x74898fff Memory Mapped File Readable, Writable, Executable False False False
cryptbase.dll 0x748a0000 0x748a9fff Memory Mapped File Readable, Writable, Executable False False False
sspicli.dll 0x748b0000 0x748cdfff Memory Mapped File Readable, Writable, Executable False False False
kernel32.dll 0x74990000 0x74a7ffff Memory Mapped File Readable, Writable, Executable False False False
rpcrt4.dll 0x74a80000 0x74b2bfff Memory Mapped File Readable, Writable, Executable False False False
nsi.dll 0x74ca0000 0x74ca6fff Memory Mapped File Readable, Writable, Executable False False False
gdi32.dll 0x74d10000 0x74e5cfff Memory Mapped File Readable, Writable, Executable False False False
windows.storage.dll 0x74e60000 0x7533cfff Memory Mapped File Readable, Writable, Executable False False False
sechost.dll 0x753a0000 0x753e2fff Memory Mapped File Readable, Writable, Executable False False False
msvcrt.dll 0x753f0000 0x754adfff Memory Mapped File Readable, Writable, Executable False False False
powrprof.dll 0x754c0000 0x75503fff Memory Mapped File Readable, Writable, Executable False False False
ole32.dll 0x75690000 0x75779fff Memory Mapped File Readable, Writable, Executable False False False
psapi.dll 0x75780000 0x75785fff Memory Mapped File Readable, Writable, Executable False False False
ws2_32.dll 0x75790000 0x757ebfff Memory Mapped File Readable, Writable, Executable False False False
advapi32.dll 0x757f0000 0x7586afff Memory Mapped File Readable, Writable, Executable False False False
cfgmgr32.dll 0x75870000 0x758a5fff Memory Mapped File Readable, Writable, Executable False False False
kernel.appcore.dll 0x75960000 0x7596bfff Memory Mapped File Readable, Writable, Executable False False False
shcore.dll 0x75a00000 0x75a8cfff Memory Mapped File Readable, Writable, Executable False False False
combase.dll 0x75a90000 0x75c49fff Memory Mapped File Readable, Writable, Executable False False False
profapi.dll 0x75c50000 0x75c5efff Memory Mapped File Readable, Writable, Executable False False False
imm32.dll 0x75c60000 0x75c8afff Memory Mapped File Readable, Writable, Executable False False False
user32.dll 0x75c90000 0x75dcffff Memory Mapped File Readable, Writable, Executable False False False
oleaut32.dll 0x75dd0000 0x75e61fff Memory Mapped File Readable, Writable, Executable False False False
kernelbase.dll 0x75e70000 0x75fe5fff Memory Mapped File Readable, Writable, Executable False False False
shell32.dll 0x76050000 0x7740efff Memory Mapped File Readable, Writable, Executable False False False
shlwapi.dll 0x77410000 0x77453fff Memory Mapped File Readable, Writable, Executable False False False
msctf.dll 0x77680000 0x7779ffff Memory Mapped File Readable, Writable, Executable False False False
ntdll.dll 0x777a0000 0x77918fff Memory Mapped File Readable, Writable, Executable False False False
private_0x000000007fea7000 0x7fea7000 0x7fea9fff Private Memory Readable, Writable True False False
private_0x000000007feaa000 0x7feaa000 0x7feacfff Private Memory Readable, Writable True False False
private_0x000000007fead000 0x7fead000 0x7feaffff Private Memory Readable, Writable True False False
pagefile_0x000000007feb0000 0x7feb0000 0x7ffaffff Pagefile Backed Memory Readable True False False
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory Readable True False False
private_0x000000007ffd5000 0x7ffd5000 0x7ffd7fff Private Memory Readable, Writable True False False
private_0x000000007ffd8000 0x7ffd8000 0x7ffdafff Private Memory Readable, Writable True False False
private_0x000000007ffdb000 0x7ffdb000 0x7ffddfff Private Memory Readable, Writable True False False
private_0x000000007ffde000 0x7ffde000 0x7ffdefff Private Memory Readable, Writable True False False
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory Readable, Writable True False False
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False
private_0x000000007fff0000 0x7fff0000 0x7ffe18a2ffff Private Memory Readable True False False
ntdll.dll 0x7ffe18a30000 0x7ffe18bf1fff Memory Mapped File Readable, Writable, Executable False False False
private_0x00007ffe18bf2000 0x7ffe18bf2000 0x7ffffffeffff Private Memory Readable True False False
Injection Information
+
Injection Type Source Process Source Os Thread ID Injection Info Success Count Logfile
Modify Memory #8: c:\windows\syswow64\svchost.exe 0x7f4 address = 0x460000, size = 131072 True 1
Fn
Data
Modify Memory #8: c:\windows\syswow64\svchost.exe 0x7f4 address = 0x47b6a4, size = 4 True 1
Fn
Data
Modify Memory #8: c:\windows\syswow64\svchost.exe 0x7f4 address = 0x47b7c0, size = 4 True 1
Fn
Data
Modify Memory #8: c:\windows\syswow64\svchost.exe 0x7f4 address = 0x47bdb4, size = 4 True 1
Fn
Data
Create Remote Thread #8: c:\windows\syswow64\svchost.exe 0x7f4 address = 0x46b50c True 1
Fn
Created Files
+
Filename File Size Hash Values YARA Match Actions
c:\users\ciihmn~1\appdata\local\temp\upd3171fe7c.bat 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\upd3171fe7c.bat 0.21 KB (216 bytes) MD5: a0db5e235a3bd5ca182e4a13ebaaae54
SHA1: cd66857e9c9884b4628aabb61efc1395720ca834
SHA256: bbab54e96dda0a86cd9ca1197fdb44a691b653ea5a3f6752180889b28a3d1828
False
Host Behavior
File (91)
+
Operation Filename Additional Information Success Count Logfile
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create - desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ False 4
Fn
Create - desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 4
Fn
Create \??\C:\Users\CIIHMN~1\AppData\Local\Temp\updee12df24.exe desired_access = FILE_READ_EA, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\updee12df24.exe desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\containers.exe desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create \??\C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\containers.exe desired_access = FILE_WRITE_EA, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming desired_access = GENERIC_READ, file_attributes = FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\containers.exe desired_access = FILE_WRITE_ATTRIBUTES, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys desired_access = FILE_WRITE_ATTRIBUTES, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\upd3171fe7c.bat desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 2
Fn
Create Directory - - False 6
Fn
Get Info C:\Users type = file_attributes True 4
Fn
Get Info C:\Users\CIiHmnxMn6Ps type = file_attributes True 4
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData type = file_attributes True 4
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming type = file_attributes True 4
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia type = file_attributes True 4
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player type = file_attributes True 4
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com type = file_attributes True 4
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support type = file_attributes True 4
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer type = file_attributes True 4
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys type = file_attributes True 4
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix type = size, size_out = 11267 True 1
Fn
Get Info - type = file_attributes False 6
Fn
Get Info \??\C:\Users\CIIHMN~1\AppData\Local\Temp\updee12df24.exe type = extended False 1
Fn
Get Info 1FD2DA8383A3F98259159BBEE117BD1D type = file_attributes False 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix type = size, size_out = 13746 True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\updee12df24.exe type = size, size_out = 303104 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming type = time True 1
Fn
Open STD_INPUT_HANDLE - True 1
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Read C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix size = 11267, size_out = 11267 True 1
Fn
Data
Read C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix size = 13746, size_out = 13746 True 1
Fn
Data
Read C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix size = 13987, size_out = 13987 True 1
Fn
Data
Read C:\Users\CIIHMN~1\AppData\Local\Temp\updee12df24.exe size = 303104, size_out = 303104 True 1
Fn
Data
Write C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix size = 11887 True 1
Fn
Data
Write C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix size = 13987 True 1
Fn
Data
Write C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix size = 14217 True 1
Fn
Data
Write C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\containers.exe size = 303104 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\upd3171fe7c.bat size = 216 True 1
Fn
Data
Delete C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\containers.exe - True 1
Fn
Registry (13)
+
Operation Key Additional Information Success Count Logfile
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion - True 2
Fn
Open Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows\Currentversion\Run - True 2
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion value_name = InstallDate, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion value_name = DigitalProductId False 1
Fn
Read Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi value_name = Axoha, type = REG_BINARY True 2
Fn
Data
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows\Currentversion\Run value_name = containers.exe True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows\Currentversion\Run value_name = containers.exe False 1
Fn
Delete Value HKEY_CURRENT_USER\Software\Microsoft\Windows\Currentversion\Run value_name = containers.exe True 2
Fn
Process (2)
+
Operation Process Additional Information Success Count Logfile
Create "C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\containers.exe" os_pid = 0x1a4, creation_flags = CREATE_DEFAULT_ERROR_MODE, show_window = SW_HIDE True 1
Fn
Create "C:\Windows\system32\cmd.exe" /c "C:\Users\CIIHMN~1\AppData\Local\Temp\upd3171fe7c.bat" os_pid = 0xf7c, creation_flags = CREATE_DEFAULT_ERROR_MODE, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE True 1
Fn
Module (85)
+
Operation Module Additional Information Success Count Logfile
Load KERNEL32.dll base_address = 0x74990000 True 2
Fn
Load USER32.dll base_address = 0x75c90000 True 2
Fn
Load NTDLL base_address = 0x777a0000 True 6
Fn
Load psapi.dll base_address = 0x75780000 True 1
Fn
Load SSPICLI base_address = 0x748b0000 True 2
Fn
Load kernel32 base_address = 0x74990000 True 1
Fn
Load api-ms-win-core-com-l1-1-0 base_address = 0x75a90000 True 1
Fn
Get Handle c:\windows\syswow64\kernel32.dll base_address = 0x74990000 True 3
Fn
Get Handle c:\users\ciihmn~1\appdata\local\temp\updee12df24.exe base_address = 0xd160000 True 2
Fn
Get Handle c:\windows\syswow64\advapi32.dll base_address = 0x757f0000 True 4
Fn
Get Handle c:\windows\syswow64\shlwapi.dll base_address = 0x77410000 True 2
Fn
Get Handle psapi.dll base_address = 0x0 False 1
Fn
Get Handle c:\windows\syswow64\secur32.dll base_address = 0x745b0000 True 2
Fn
Get Handle c:\windows\syswow64\ntdll.dll base_address = 0x777a0000 True 3
Fn
Get Handle c:\windows\syswow64\shell32.dll base_address = 0x76050000 True 1
Fn
Get Handle c:\windows\syswow64\ole32.dll base_address = 0x75690000 True 1
Fn
Get Handle c:\windows\syswow64\psapi.dll base_address = 0x75780000 True 1
Fn
Get Handle c:\windows\syswow64\user32.dll base_address = 0x75c90000 True 1
Fn
Get Filename - process_name = c:\users\ciihmn~1\appdata\local\temp\updee12df24.exe, file_name_orig = C:\Users\CIIHMN~1\AppData\Local\Temp\updee12df24.exe, size = 260 True 1
Fn
Get Filename psapi.dll process_name = c:\users\ciihmn~1\appdata\local\temp\updee12df24.exe, file_name_orig = C:\Users\CIIHMN~1\AppData\Local\Temp\updee12df24.exe, size = 260 True 1
Fn
Get Filename Unknown module name process_name = c:\users\ciihmn~1\appdata\local\temp\updee12df24.exe, file_name_orig = C:\Users\CIIHMN~1\AppData\Local\Temp\updee12df24.exe, size = 260 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsAlloc, address_out = 0x749aa330 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsGetValue, address_out = 0x749a7580 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsSetValue, address_out = 0x749a9910 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsFree, address_out = 0x749af400 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InterlockedExchange, address_out = 0x749a7650 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapCreate, address_out = 0x749a9950 True 3
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapFree, address_out = 0x749a25e0 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapReAlloc, address_out = 0x777dbae0 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapAlloc, address_out = 0x777dda90 True 3
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapDestroy, address_out = 0x749ad940 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetProcessHeap, address_out = 0x749a7910 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InterlockedIncrement, address_out = 0x749a7520 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleHandleA, address_out = 0x749a9640 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = Sleep, address_out = 0x749a77b0 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LoadLibraryA, address_out = 0x749ad8d0 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LoadLibraryW, address_out = 0x749aa0b0 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetProcAddress, address_out = 0x749a7940 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleHandleW, address_out = 0x749a9660 True 2
Fn
Get Address c:\windows\syswow64\user32.dll function = LoadImageW, address_out = 0x75cc4500 True 2
Fn
Get Address c:\windows\syswow64\ntdll.dll function = RtlAddVectoredExceptionHandler, address_out = 0x777ff090 True 2
Fn
Get Address c:\windows\syswow64\ntdll.dll function = RtlInitializeCriticalSection, address_out = 0x777f95f0 True 2
Fn
Get Address c:\windows\syswow64\sspicli.dll function = GetUserNameExW, address_out = 0x748bc5f0 True 2
Fn
Get Address Unknown module name function = SetLayeredWindowAttributes, address_out = 0x0 False 1
Fn
Get Address c:\windows\syswow64\combase.dll function = CLSIDFromString, address_out = 0x75b41390 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = RtlRemoveVectoredExceptionHandler, address_out = 0x777c8870 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = RtlDeleteCriticalSection, address_out = 0x777f9920 True 1
Fn
Window (1027)
+
Operation Window Name Additional Information Success Count Logfile
Create Press class_name = BUTTON, wndproc_parameter = 0 True 1
Fn
Create Окно class_name = iClass, wndproc_parameter = 0 False 1
Fn
Create Окно class_name = iClass, wndproc_parameter = 0 False 776
Fn
Set Attribute - index = 18446744073709551612, new_long = 0 False 249
Fn
System (831)
+
Operation Additional Information Success Count Logfile
Get Computer Name result_out = LHNIWSJ True 1
Fn
Get Cursor x_out = 972, y_out = 552 True 4
Fn
Get Cursor x_out = 233, y_out = 265 True 3
Fn
Get Cursor x_out = 1154, y_out = 739 True 2
Fn
Sleep duration = 500 milliseconds (0.500 seconds) True 3
Fn
Sleep duration = 100 milliseconds (0.100 seconds) True 19
Fn
Sleep duration = -1 (infinite) True 1
Fn
Get Time type = Local Time, time = 2017-11-30 14:38:00 (Local Time) True 1
Fn
Get Time type = System Time, time = 2017-11-30 03:38:00 (UTC) True 1
Fn
Get Time type = System Time, time = 2017-11-30 03:38:27 (UTC) True 8
Fn
Get Time type = Local Time, time = 2017-11-30 14:38:27 (Local Time) True 3
Fn
Get Time type = System Time, time = 2017-11-30 03:38:29 (UTC) True 3
Fn
Get Info type = Operating System False 5
Fn
Get Info type = Hardware Information True 777
Fn
Mutex (18)
+
Operation Additional Information Success Count Logfile
Create mutex_name = BA375714EF21E8EC8F43FB71FA3700CC True 1
Fn
Create mutex_name = 8C5FF35F44C67C34381EFF128FE58575 True 1
Fn
Create mutex_name = BA375714EF21E8EC8F43FB71FA3700CC True 1
Fn
Create mutex_name = 4F35AC27449784784508471CC1E930C7 True 1
Fn
Create mutex_name = BA375714EF21E8EC8F43FB71FA3700CC True 7
Fn
Open mutex_name = ACD86ED691154353041C7827C4241C0D, desired_access = SYNCHRONIZE True 1
Fn
Release mutex_name = BA375714EF21E8EC8F43FB71FA3700CC True 1
Fn
Release mutex_name = 8C5FF35F44C67C34381EFF128FE58575 True 1
Fn
Release mutex_name = BA375714EF21E8EC8F43FB71FA3700CC True 1
Fn
Release mutex_name = BA375714EF21E8EC8F43FB71FA3700CC True 2
Fn
Release mutex_name = 4F35AC27449784784508471CC1E930C7 True 1
Fn
Environment (3)
+
Operation Additional Information Success Count Logfile
Get Environment String - True 2
Fn
Data
Get Environment String name = ComSpec, result_out = C:\Windows\system32\cmd.exe True 1
Fn
Process #13: containers.exe
(Host: 2405, Network: 0)
+
Information Value
ID #13
File Name c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\containers.exe
Command Line "C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\containers.exe"
Initial Working Directory C:\Users\CIiHmnxMn6Ps\AppData\Roaming\
Monitor Start Time: 00:03:33, Reason: Child Process
Unmonitor End Time: 00:15:27, Reason: Terminated by Timeout
Monitor Duration 00:11:54
OS Process Information
+
Information Value
PID 0x1a4
Parent PID 0xa44 (c:\users\ciihmn~1\appdata\local\temp\updee12df24.exe)
Is Created or Modified Executable True
Integrity Level Medium
Username LHNIWSJ\CIiHmnxMn6Ps
Groups
  • LHNIWSJ\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Local account and member of Administrators group (USE_FOR_DENY_ONLY)
  • BUILTIN\Administrators (USE_FOR_DENY_ONLY)
  • BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Local account (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Logon Session 00000000:0001400a (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID)
  • LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 204
0x 26C
0x 200
0x CDC
0x CE4
Region
+
Name Start VA End VA Type Permissions Monitored Dump YARA Match Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False
private_0x0000000000020000 0x00020000 0x00023fff Private Memory Readable, Writable True False False
private_0x0000000000030000 0x00030000 0x00031fff Private Memory Readable, Writable True False False
private_0x0000000000030000 0x00030000 0x00030fff Private Memory Readable, Writable True False False
pagefile_0x0000000000040000 0x00040000 0x00053fff Pagefile Backed Memory Readable True False False
private_0x0000000000060000 0x00060000 0x0009ffff Private Memory Readable, Writable True False False
private_0x00000000000a0000 0x000a0000 0x0019ffff Private Memory Readable, Writable True False False
pagefile_0x00000000001a0000 0x001a0000 0x001a3fff Pagefile Backed Memory Readable True False False
pagefile_0x00000000001b0000 0x001b0000 0x001b0fff Pagefile Backed Memory Readable True False False
private_0x00000000001c0000 0x001c0000 0x001c1fff Private Memory Readable, Writable True False False
private_0x00000000001d0000 0x001d0000 0x0020ffff Private Memory Readable, Writable True False False
private_0x0000000000210000 0x00210000 0x00210fff Private Memory Readable, Writable True False False
msvfw32.dll.mui 0x00220000 0x00221fff Memory Mapped File Readable False False False
avicap32.dll.mui 0x00230000 0x00232fff Memory Mapped File Readable False False False
private_0x0000000000240000 0x00240000 0x00243fff Private Memory Readable, Writable True False False
private_0x0000000000250000 0x00250000 0x0025ffff Private Memory Readable, Writable True False False
pagefile_0x0000000000250000 0x00250000 0x00254fff Pagefile Backed Memory Readable, Writable True False False
private_0x0000000000250000 0x00250000 0x00250fff Private Memory Readable, Writable True False False
private_0x0000000000260000 0x00260000 0x0026ffff Private Memory Readable, Writable True False False
locale.nls 0x00270000 0x0032dfff Memory Mapped File Readable False False False
private_0x0000000000330000 0x00330000 0x00341fff Private Memory Readable, Writable True False False
private_0x0000000000330000 0x00330000 0x0036ffff Private Memory Readable, Writable True False False
private_0x0000000000370000 0x00370000 0x00370fff Private Memory Readable, Writable, Executable True False False
pagefile_0x0000000000370000 0x00370000 0x00370fff Pagefile Backed Memory Readable, Writable True False False
private_0x0000000000380000 0x00380000 0x00383fff Private Memory Readable, Writable True False False
private_0x0000000000390000 0x00390000 0x00390fff Private Memory Readable, Writable True False False
private_0x00000000003b0000 0x003b0000 0x004affff Private Memory Readable, Writable True False False
private_0x00000000004b0000 0x004b0000 0x005affff Private Memory Readable, Writable True False False
pagefile_0x00000000005b0000 0x005b0000 0x00737fff Pagefile Backed Memory Readable True False False
private_0x0000000000750000 0x00750000 0x007dffff Private Memory Readable, Writable True False False
private_0x00000000007f0000 0x007f0000 0x007fffff Private Memory Readable, Writable True False False
private_0x0000000000850000 0x00850000 0x0085ffff Private Memory Readable, Writable True False False
private_0x0000000000890000 0x00890000 0x0089ffff Private Memory Readable, Writable True False False
pagefile_0x00000000008a0000 0x008a0000 0x00a20fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000a30000 0x00a30000 0x01e2ffff Pagefile Backed Memory Readable True False False
private_0x0000000001e30000 0x01e30000 0x01f0ffff Private Memory Readable, Writable True False False
private_0x0000000001e90000 0x01e90000 0x01ee7fff Private Memory Readable, Writable, Executable True False False
private_0x0000000001f00000 0x01f00000 0x01f0ffff Private Memory Readable, Writable True False False
sortdefault.nls 0x01f10000 0x02246fff Memory Mapped File Readable False False False
private_0x0000000002250000 0x02250000 0x0234ffff Private Memory Readable, Writable True False False
private_0x0000000002350000 0x02350000 0x0244ffff Private Memory Readable, Writable True False False
private_0x0000000002450000 0x02450000 0x0254ffff Private Memory Readable, Writable True False False
containers.exe 0x0d160000 0x0d1aefff Memory Mapped File Readable, Writable, Executable True False False
wow64cpu.dll 0x581b0000 0x581b7fff Memory Mapped File Readable, Writable, Executable False False False
wow64.dll 0x581c0000 0x5820efff Memory Mapped File Readable, Writable, Executable False False False
wow64win.dll 0x58210000 0x58282fff Memory Mapped File Readable, Writable, Executable False False False
devobj.dll 0x736c0000 0x736e0fff Memory Mapped File Readable, Writable, Executable False False False
msacm32.dll 0x736f0000 0x73707fff Memory Mapped File Readable, Writable, Executable False False False
winmmbase.dll 0x73710000 0x73732fff Memory Mapped File Readable, Writable, Executable False False False
winmm.dll 0x73740000 0x73763fff Memory Mapped File Readable, Writable, Executable False False False
msvfw32.dll 0x73770000 0x73792fff Memory Mapped File Readable, Writable, Executable False False False
comctl32.dll 0x737a0000 0x73831fff Memory Mapped File Readable, Writable, Executable False False False
avifil32.dll 0x73870000 0x7388bfff Memory Mapped File Readable, Writable, Executable False False False
pdh.dll 0x73a10000 0x73a52fff Memory Mapped File Readable, Writable, Executable False False False
avicap32.dll 0x73a60000 0x73a73fff Memory Mapped File Readable, Writable, Executable False False False
iertutil.dll 0x73f70000 0x74230fff Memory Mapped File Readable, Writable, Executable False False False
ntmarta.dll 0x74470000 0x74497fff Memory Mapped File Readable, Writable, Executable False False False
rsaenh.dll 0x744a0000 0x744cefff Memory Mapped File Readable, Writable, Executable False False False
cryptsp.dll 0x744d0000 0x744e2fff Memory Mapped File Readable, Writable, Executable False False False
winnsi.dll 0x74520000 0x74527fff Memory Mapped File Readable, Writable, Executable False False False
uxtheme.dll 0x74530000 0x745a4fff Memory Mapped File Readable, Writable, Executable False False False
secur32.dll 0x745b0000 0x745b9fff Memory Mapped File Readable, Writable, Executable False False False
iphlpapi.dll 0x745c0000 0x745effff Memory Mapped File Readable, Writable, Executable False False False
bcrypt.dll 0x74610000 0x7462afff Memory Mapped File Readable, Writable, Executable False False False
urlmon.dll 0x74630000 0x7478ffff Memory Mapped File Readable, Writable, Executable False False False
bcryptprimitives.dll 0x74840000 0x74898fff Memory Mapped File Readable, Writable, Executable False False False
cryptbase.dll 0x748a0000 0x748a9fff Memory Mapped File Readable, Writable, Executable False False False
sspicli.dll 0x748b0000 0x748cdfff Memory Mapped File Readable, Writable, Executable False False False
kernel32.dll 0x74990000 0x74a7ffff Memory Mapped File Readable, Writable, Executable False False False
rpcrt4.dll 0x74a80000 0x74b2bfff Memory Mapped File Readable, Writable, Executable False False False
nsi.dll 0x74ca0000 0x74ca6fff Memory Mapped File Readable, Writable, Executable False False False
gdi32.dll 0x74d10000 0x74e5cfff Memory Mapped File Readable, Writable, Executable False False False
windows.storage.dll 0x74e60000 0x7533cfff Memory Mapped File Readable, Writable, Executable False False False
sechost.dll 0x753a0000 0x753e2fff Memory Mapped File Readable, Writable, Executable False False False
msvcrt.dll 0x753f0000 0x754adfff Memory Mapped File Readable, Writable, Executable False False False
powrprof.dll 0x754c0000 0x75503fff Memory Mapped File Readable, Writable, Executable False False False
ole32.dll 0x75690000 0x75779fff Memory Mapped File Readable, Writable, Executable False False False
psapi.dll 0x75780000 0x75785fff Memory Mapped File Readable, Writable, Executable False False False
ws2_32.dll 0x75790000 0x757ebfff Memory Mapped File Readable, Writable, Executable False False False
advapi32.dll 0x757f0000 0x7586afff Memory Mapped File Readable, Writable, Executable False False False
cfgmgr32.dll 0x75870000 0x758a5fff Memory Mapped File Readable, Writable, Executable False False False
kernel.appcore.dll 0x75960000 0x7596bfff Memory Mapped File Readable, Writable, Executable False False False
shcore.dll 0x75a00000 0x75a8cfff Memory Mapped File Readable, Writable, Executable False False False
combase.dll 0x75a90000 0x75c49fff Memory Mapped File Readable, Writable, Executable False False False
profapi.dll 0x75c50000 0x75c5efff Memory Mapped File Readable, Writable, Executable False False False
imm32.dll 0x75c60000 0x75c8afff Memory Mapped File Readable, Writable, Executable False False False
user32.dll 0x75c90000 0x75dcffff Memory Mapped File Readable, Writable, Executable False False False
oleaut32.dll 0x75dd0000 0x75e61fff Memory Mapped File Readable, Writable, Executable False False False
kernelbase.dll 0x75e70000 0x75fe5fff Memory Mapped File Readable, Writable, Executable False False False
shell32.dll 0x76050000 0x7740efff Memory Mapped File Readable, Writable, Executable False False False
shlwapi.dll 0x77410000 0x77453fff Memory Mapped File Readable, Writable, Executable False False False
msctf.dll 0x77680000 0x7779ffff Memory Mapped File Readable, Writable, Executable False False False
ntdll.dll 0x777a0000 0x77918fff Memory Mapped File Readable, Writable, Executable False False False
pagefile_0x000000007feb0000 0x7feb0000 0x7ffaffff Pagefile Backed Memory Readable True False False
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory Readable True False False
private_0x000000007ffd5000 0x7ffd5000 0x7ffd7fff Private Memory Readable, Writable True False False
private_0x000000007ffd8000 0x7ffd8000 0x7ffdafff Private Memory Readable, Writable True False False
private_0x000000007ffdb000 0x7ffdb000 0x7ffddfff Private Memory Readable, Writable True False False
private_0x000000007ffde000 0x7ffde000 0x7ffdefff Private Memory Readable, Writable True False False
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory Readable, Writable True False False
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False
private_0x000000007fff0000 0x7fff0000 0x7ffe18a2ffff Private Memory Readable True False False
ntdll.dll 0x7ffe18a30000 0x7ffe18bf1fff Memory Mapped File Readable, Writable, Executable False False False
private_0x00007ffe18bf2000 0x7ffe18bf2000 0x7ffffffeffff Private Memory Readable True False False
Host Behavior
File (37)
+
Operation Filename Additional Information Success Count Logfile
Create - desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ False 2
Fn
Create - desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 2
Fn
Create \??\C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\containers.exe desired_access = FILE_READ_EA, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create Directory - - False 1
Fn
Get Info - type = file_attributes False 1
Fn
Get Info \??\C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\containers.exe type = extended True 1
Fn
Get Info C:\Users type = file_attributes True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps type = file_attributes True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData type = file_attributes True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming type = file_attributes True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia type = file_attributes True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player type = file_attributes True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com type = file_attributes True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support type = file_attributes True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer type = file_attributes True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys type = file_attributes True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix type = size, size_out = 2556 True 1
Fn
Open STD_INPUT_HANDLE - True 1
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Read C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix size = 2556, size_out = 2556 True 1
Fn
Data
Read C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix size = 2816, size_out = 2816 True 1
Fn
Data
Write C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix size = 2816 True 1
Fn
Data
Write C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix size = 3076 True 1
Fn
Data
Registry (7)
+
Operation Key Additional Information Success Count Logfile
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion - True 2
Fn
Open Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi - True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion value_name = InstallDate, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion value_name = DigitalProductId False 1
Fn
Read Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi value_name = Axoha, type = REG_BINARY True 2
Fn
Data
Process (2)
+
Operation Process Additional Information Success Count Logfile
Create C:\Windows\SysWOW64\svchost.exe -k netsvcs os_pid = 0xd84, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE True 1
Fn
Create C:\Windows\SysWOW64\svchost.exe -k netsvcs os_pid = 0x3d0, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE True 1
Fn
Thread (2)
+
Operation Process Additional Information Success Count Logfile
Create C:\Windows\SysWOW64\svchost.exe -k netsvcs proc_address = 0x504b50c, proc_parameter = 0, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create C:\Windows\SysWOW64\svchost.exe -k netsvcs proc_address = 0x412b50c, proc_parameter = 0, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Memory (10)
+
Operation Process Additional Information Success Count Logfile
Allocate C:\Windows\SysWOW64\svchost.exe -k netsvcs address = 0x5040000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 131072 True 1
Fn
Allocate C:\Windows\SysWOW64\svchost.exe -k netsvcs address = 0x4120000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 131072 True 1
Fn
Write C:\Windows\SysWOW64\svchost.exe -k netsvcs address = 0x5040000, size = 131072 True 1
Fn
Data
Write C:\Windows\SysWOW64\svchost.exe -k netsvcs address = 0x505b6a4, size = 4 True 1
Fn
Data
Write C:\Windows\SysWOW64\svchost.exe -k netsvcs address = 0x505b7c0, size = 4 True 1
Fn
Data
Write C:\Windows\SysWOW64\svchost.exe -k netsvcs address = 0x505bdb4, size = 4 True 1
Fn
Data
Write C:\Windows\SysWOW64\svchost.exe -k netsvcs address = 0x4120000, size = 131072 True 1
Fn
Data
Write C:\Windows\SysWOW64\svchost.exe -k netsvcs address = 0x413b6a4, size = 4 True 1
Fn
Data
Write C:\Windows\SysWOW64\svchost.exe -k netsvcs address = 0x413b7c0, size = 4 True 1
Fn
Data
Write C:\Windows\SysWOW64\svchost.exe -k netsvcs address = 0x413bdb4, size = 4 True 1
Fn
Data
Module (52)
+
Operation Module Additional Information Success Count Logfile
Load kernel32 base_address = 0x74990000 True 1
Fn
Load KERNEL32.dll base_address = 0x74990000 True 1
Fn
Load USER32.dll base_address = 0x75c90000 True 1
Fn
Load NTDLL base_address = 0x777a0000 True 2
Fn
Load SSPICLI base_address = 0x748b0000 True 1
Fn
Load api-ms-win-core-com-l1-1-0 base_address = 0x75a90000 True 1
Fn
Load psapi.dll base_address = 0x75780000 True 1
Fn
Get Handle c:\windows\syswow64\kernel32.dll base_address = 0x74990000 True 3
Fn
Get Handle c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\containers.exe base_address = 0xd160000 True 2
Fn
Get Handle c:\windows\syswow64\ntdll.dll base_address = 0x777a0000 True 3
Fn
Get Handle c:\windows\syswow64\advapi32.dll base_address = 0x757f0000 True 3
Fn
Get Handle c:\windows\syswow64\shlwapi.dll base_address = 0x77410000 True 1
Fn
Get Handle c:\windows\syswow64\secur32.dll base_address = 0x745b0000 True 1
Fn
Get Handle c:\windows\syswow64\shell32.dll base_address = 0x76050000 True 1
Fn
Get Handle c:\windows\syswow64\ole32.dll base_address = 0x75690000 True 1
Fn
Get Handle psapi.dll base_address = 0x0 False 1
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\containers.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\containers.exe, size = 260 True 1
Fn
Get Filename psapi.dll process_name = c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\containers.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\containers.exe, size = 260 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsAlloc, address_out = 0x749aa330 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsGetValue, address_out = 0x749a7580 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsSetValue, address_out = 0x749a9910 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsFree, address_out = 0x749af400 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapCreate, address_out = 0x749a9950 True 2
Fn
Get Address Unknown module name function = SetLayeredWindowAttributes, address_out = 0x0 False 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapAlloc, address_out = 0x777dda90 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InterlockedExchange, address_out = 0x749a7650 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapFree, address_out = 0x749a25e0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapReAlloc, address_out = 0x777dbae0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapDestroy, address_out = 0x749ad940 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetProcessHeap, address_out = 0x749a7910 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InterlockedIncrement, address_out = 0x749a7520 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleHandleA, address_out = 0x749a9640 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = Sleep, address_out = 0x749a77b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LoadLibraryA, address_out = 0x749ad8d0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LoadLibraryW, address_out = 0x749aa0b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetProcAddress, address_out = 0x749a7940 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleHandleW, address_out = 0x749a9660 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = LoadImageW, address_out = 0x75cc4500 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = RtlAddVectoredExceptionHandler, address_out = 0x777ff090 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = RtlInitializeCriticalSection, address_out = 0x777f95f0 True 1
Fn
Get Address c:\windows\syswow64\sspicli.dll function = GetUserNameExW, address_out = 0x748bc5f0 True 1
Fn
Get Address c:\windows\syswow64\combase.dll function = CLSIDFromString, address_out = 0x75b41390 True 1
Fn
Window (1248)
+
Operation Window Name Additional Information Success Count Logfile
Create Press class_name = BUTTON, wndproc_parameter = 0 True 1
Fn
Create Окно class_name = iClass, wndproc_parameter = 0 False 1
Fn
Create Окно class_name = iClass, wndproc_parameter = 0 False 997
Fn
Set Attribute - index = 18446744073709551612, new_long = 0 False 249
Fn
System (1020)
+
Operation Additional Information Success Count Logfile
Get Computer Name result_out = LHNIWSJ True 1
Fn
Get Cursor x_out = 1097, y_out = 484 True 5
Fn
Get Cursor x_out = 859, y_out = 14 True 3
Fn
Get Cursor x_out = 390, y_out = 885 True 1
Fn
Get Cursor x_out = 1403, y_out = 443 True 1
Fn
Get Time type = System Time, time = 2017-11-30 03:39:00 (UTC) True 5
Fn
Get Time type = Local Time, time = 2017-11-30 14:39:00 (Local Time) True 3
Fn
Get Info type = Hardware Information True 998
Fn
Get Info type = Operating System False 3
Fn
Mutex (14)
+
Operation Additional Information Success Count Logfile
Create mutex_name = 8C5FF35F44C67C34381EFF128FE58575 True 1
Fn
Create mutex_name = BA375714EF21E8EC8F43FB71FA3700CC True 3
Fn
Create mutex_name = DD53550AC9EB25CC6151CE1EB2A70FC3 True 1
Fn
Create mutex_name = B7B640FD598619C28BD4F0051E0616B4 True 1
Fn
Create mutex_name = C144897552FBD8087BCACE2DF5968566 True 1
Fn
Open mutex_name = 4F35AC27449784784508471CC1E930C7, desired_access = SYNCHRONIZE True 1
Fn
Open mutex_name = 8EB663269EDB2551D78D6BE980D8D1D5, desired_access = SYNCHRONIZE False 2
Fn
Open mutex_name = 8592029A1BBD0F5EDCA2A860E613ACDB, desired_access = SYNCHRONIZE False 2
Fn
Release mutex_name = 8C5FF35F44C67C34381EFF128FE58575 True 1
Fn
Release mutex_name = BA375714EF21E8EC8F43FB71FA3700CC True 1
Fn
Environment (2)
+
Operation Additional Information Success Count Logfile
Get Environment String - True 2
Fn
Data
Process #14: cmd.exe
(Host: 4381, Network: 0)
+
Information Value
ID #14
File Name c:\windows\syswow64\cmd.exe
Command Line "C:\Windows\system32\cmd.exe" /c "C:\Users\CIIHMN~1\AppData\Local\Temp\upd3171fe7c.bat"
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:05, Reason: Child Process
Unmonitor End Time: 00:15:27, Reason: Terminated by Timeout
Monitor Duration 00:11:22
OS Process Information
+
Information Value
PID 0xf7c
Parent PID 0xa44 (c:\users\ciihmn~1\appdata\local\temp\updee12df24.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username LHNIWSJ\CIiHmnxMn6Ps
Groups
  • LHNIWSJ\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Local account and member of Administrators group (USE_FOR_DENY_ONLY)
  • BUILTIN\Administrators (USE_FOR_DENY_ONLY)
  • BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Local account (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Logon Session 00000000:0001400a (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID)
  • LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x F88
0x FBC
Region
+
Name Start VA End VA Type Permissions Monitored Dump YARA Match Actions
cmd.exe 0x002b0000 0x002fffff Memory Mapped File Readable, Writable, Executable True False False
pagefile_0x0000000000e40000 0x00e40000 0x04e3ffff Pagefile Backed Memory - True False False
private_0x0000000004e40000 0x04e40000 0x04e5ffff Private Memory Readable, Writable True False False
pagefile_0x0000000004e40000 0x04e40000 0x04e4ffff Pagefile Backed Memory Readable, Writable True False False
private_0x0000000004e50000 0x04e50000 0x04e53fff Private Memory Readable, Writable True False False
private_0x0000000004e60000 0x04e60000 0x04e61fff Private Memory Readable, Writable True False False
private_0x0000000004e60000 0x04e60000 0x04e63fff Private Memory Readable, Writable True False False
pagefile_0x0000000004e70000 0x04e70000 0x04e83fff Pagefile Backed Memory Readable True False False
private_0x0000000004e90000 0x04e90000 0x04ecffff Private Memory Readable, Writable True False False
private_0x0000000004ed0000 0x04ed0000 0x04fcffff Private Memory Readable, Writable True False False
pagefile_0x0000000004fd0000 0x04fd0000 0x04fd3fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000004fe0000 0x04fe0000 0x04fe0fff Pagefile Backed Memory Readable True False False
private_0x0000000004ff0000 0x04ff0000 0x04ff1fff Private Memory Readable, Writable True False False
private_0x0000000005000000 0x05000000 0x0503ffff Private Memory Readable, Writable True False False
private_0x0000000005040000 0x05040000 0x0504ffff Private Memory Readable, Writable True False False
private_0x0000000005050000 0x05050000 0x0505ffff Private Memory Readable, Writable True False False
locale.nls 0x05060000 0x0511dfff Memory Mapped File Readable False False False
private_0x0000000005140000 0x05140000 0x0523ffff Private Memory Readable, Writable True False False
private_0x0000000005240000 0x05240000 0x0533ffff Private Memory Readable, Writable True False False
cmd.exe.mui 0x05340000 0x05360fff Memory Mapped File Readable False False False
kernelbase.dll.mui 0x05370000 0x0544efff Memory Mapped File Readable False False False
private_0x0000000005450000 0x05450000 0x0545ffff Private Memory Readable, Writable True False False
wow64cpu.dll 0x581b0000 0x581b7fff Memory Mapped File Readable, Writable, Executable False False False
wow64.dll 0x581c0000 0x5820efff Memory Mapped File Readable, Writable, Executable False False False
wow64win.dll 0x58210000 0x58282fff Memory Mapped File Readable, Writable, Executable False False False
cmdext.dll 0x74600000 0x74607fff Memory Mapped File Readable, Writable, Executable False False False
bcryptprimitives.dll 0x74840000 0x74898fff Memory Mapped File Readable, Writable, Executable False False False
cryptbase.dll 0x748a0000 0x748a9fff Memory Mapped File Readable, Writable, Executable False False False
sspicli.dll 0x748b0000 0x748cdfff Memory Mapped File Readable, Writable, Executable False False False
kernel32.dll 0x74990000 0x74a7ffff Memory Mapped File Readable, Writable, Executable False False False
rpcrt4.dll 0x74a80000 0x74b2bfff Memory Mapped File Readable, Writable, Executable False False False
sechost.dll 0x753a0000 0x753e2fff Memory Mapped File Readable, Writable, Executable False False False
msvcrt.dll 0x753f0000 0x754adfff Memory Mapped File Readable, Writable, Executable False False False
advapi32.dll 0x757f0000 0x7586afff Memory Mapped File Readable, Writable, Executable False False False
kernelbase.dll 0x75e70000 0x75fe5fff Memory Mapped File Readable, Writable, Executable False False False
ntdll.dll 0x777a0000 0x77918fff Memory Mapped File Readable, Writable, Executable False False False
pagefile_0x000000007ee50000 0x7ee50000 0x7ef4ffff Pagefile Backed Memory Readable True False False
pagefile_0x000000007ef50000 0x7ef50000 0x7ef72fff Pagefile Backed Memory Readable True False False
private_0x000000007ef76000 0x7ef76000 0x7ef76fff Private Memory Readable, Writable True False False
private_0x000000007ef79000 0x7ef79000 0x7ef79fff Private Memory Readable, Writable True False False
private_0x000000007ef7a000 0x7ef7a000 0x7ef7cfff Private Memory Readable, Writable True False False
private_0x000000007ef7d000 0x7ef7d000 0x7ef7ffff Private Memory Readable, Writable True False False
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False
private_0x000000007fff0000 0x7fff0000 0x7dfe18a2ffff Private Memory Readable True False False
pagefile_0x00007dfe18a30000 0x7dfe18a30000 0x7ffe18a2ffff Pagefile Backed Memory - True False False
ntdll.dll 0x7ffe18a30000 0x7ffe18bf1fff Memory Mapped File Readable, Writable, Executable False False False
private_0x00007ffe18bf2000 0x7ffe18bf2000 0x7ffffffeffff Private Memory Readable True False False
Host Behavior
File (4344)
+
Operation Filename Additional Information Success Count Logfile
Create C:\Users\CIIHMN~1\AppData\Local\Temp\upd3171fe7c.bat desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 173
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\upd3171fe7c.bat desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE False 1
Fn
Get Info C:\Windows\system32 type = file_attributes True 1
Fn
Get Info C:\Windows\System32 type = file_attributes True 1
Fn
Get Info - type = file_type True 509
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\updee12df24.exe type = file_attributes True 170
Fn
Get Info STD_OUTPUT_HANDLE type = file_type True 84
Fn
Get Info STD_ERROR_HANDLE type = file_type True 85
Fn
Get Info - type = size True 84
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\upd3171fe7c.bat type = file_attributes True 2
Fn
Open STD_OUTPUT_HANDLE - True 601
Fn
Open STD_INPUT_HANDLE - True 175
Fn
Open - - True 1616
Fn
Open \??\C:\Users\CIIHMN~1\AppData\Local\Temp\UPDEE1~1.EXE desired_access = DELETE, open_options = FILE_NON_DIRECTORY_FILE, FILE_DELETE_ON_CLOSE, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_DELETE False 84
Fn
Open STD_ERROR_HANDLE - True 255
Fn
Read - size = 8191, size_out = 216 True 1
Fn
Data
Read - size = 8191, size_out = 205 True 1
Fn
Data
Read - size = 8191, size_out = 201 True 28
Fn
Data
Read - size = 8191, size_out = 135 True 28
Fn
Data
Read - size = 512, size_out = 63 True 27
Fn
Data
Read - size = 512, size_out = 0 True 27
Fn
Read - size = 512, size_out = 216 True 27
Fn
Data
Read - size = 512, size_out = 205 True 27
Fn
Data
Write STD_OUTPUT_HANDLE size = 54 True 84
Fn
Data
Write STD_ERROR_HANDLE size = 19 True 84
Fn
Data
Write STD_ERROR_HANDLE size = 33 True 1
Fn
Data
Delete C:\Users\CIIHMN~1\AppData\Local\Temp\updee12df24.exe - False 84
Fn
Delete C:\Users\CIIHMN~1\AppData\Local\Temp\UPDEE1~1.EXE - False 84
Fn
Registry (17)
+
Operation Key Additional Information Success Count Logfile
Open Key HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Command Processor - True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DisableUNCCheck, data = 24, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = AutoRun, data = 64, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DisableUNCCheck, data = 64, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = AutoRun, data = 9, type = REG_NONE False 1
Fn
Module (8)
+
Operation Module Additional Information Success Count Logfile
Get Handle c:\windows\syswow64\cmd.exe base_address = 0x2b0000 True 1
Fn
Get Handle c:\windows\syswow64\kernel32.dll base_address = 0x74990000 True 2
Fn
Get Filename - process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadUILanguage, address_out = 0x749d2780 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CopyFileExW, address_out = 0x749afa80 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsDebuggerPresent, address_out = 0x749aa790 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetConsoleInputExeNameW, address_out = 0x75f835c0 True 1
Fn
Environment (12)
+
Operation Additional Information Success Count Logfile
Get Environment String - True 4
Fn
Data
Get Environment String name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ True 1
Fn
Get Environment String name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC True 2
Fn
Get Environment String name = PROMPT False 1
Fn
Get Environment String name = COMSPEC, result_out = C:\Windows\system32\cmd.exe True 1
Fn
Get Environment String name = KEYS False 1
Fn
Set Environment String name = PROMPT, value = $P$G True 1
Fn
Set Environment String name = =C:, value = C:\Windows\System32 True 1
Fn
Process #16: svchost.exe
(Host: 20794, Network: 527)
+
Information Value
ID #16
File Name c:\windows\syswow64\svchost.exe
Command Line C:\Windows\SysWOW64\svchost.exe -k netsvcs
Initial Working Directory C:\Users\CIiHmnxMn6Ps\AppData\Roaming\
Monitor Start Time: 00:05:05, Reason: Child Process
Unmonitor End Time: 00:15:27, Reason: Terminated by Timeout
Monitor Duration 00:10:22
OS Process Information
+
Information Value
PID 0xd84
Parent PID 0x1a4 (c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\containers.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username LHNIWSJ\CIiHmnxMn6Ps
Groups
  • LHNIWSJ\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Local account and member of Administrators group (USE_FOR_DENY_ONLY)
  • BUILTIN\Administrators (USE_FOR_DENY_ONLY)
  • BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Local account (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Logon Session 00000000:0001400a (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID)
  • LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x D90
0x D8C
0x DA0
0x D94
0x DBC
0x DB8
0x DB0
0x DD0
0x FC4
0x 694
0x CA8
0x CC0
0x C40
0x DF0
0x 29C
0x D24
0x 5C0
0x BE0
0x 658
Region
+
Name Start VA End VA Type Permissions Monitored Dump YARA Match Actions
svchost.exe 0x000c0000 0x000cafff Memory Mapped File Readable, Writable, Executable False False False
pagefile_0x0000000000f40000 0x00f40000 0x04f3ffff Pagefile Backed Memory - True False False
private_0x0000000004f40000 0x04f40000 0x04f5ffff Private Memory Readable, Writable True False False
pagefile_0x0000000004f40000 0x04f40000 0x04f4ffff Pagefile Backed Memory Readable, Writable True False False
svchost.exe.mui 0x04f50000 0x04f50fff Memory Mapped File Readable False False False
private_0x0000000004f60000 0x04f60000 0x04f61fff Private Memory Readable, Writable True False False
private_0x0000000004f60000 0x04f60000 0x04f60fff Private Memory Readable, Writable True False False
pagefile_0x0000000004f70000 0x04f70000 0x04f83fff Pagefile Backed Memory Readable True False False
private_0x0000000004f90000 0x04f90000 0x04fcffff Private Memory Readable, Writable True False False
private_0x0000000004fd0000 0x04fd0000 0x0500ffff Private Memory Readable, Writable True False False
pagefile_0x0000000005010000 0x05010000 0x05013fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000005020000 0x05020000 0x05020fff Pagefile Backed Memory Readable True False False
private_0x0000000005030000 0x05030000 0x05031fff Private Memory Readable, Writable True False False
private_0x0000000005040000 0x05040000 0x0505ffff Private Memory Readable, Writable, Executable True False False
private_0x0000000005060000 0x05060000 0x0509ffff Private Memory Readable, Writable True False False
private_0x0000000005060000 0x05060000 0x05060fff Private Memory Readable, Writable True False False
private_0x0000000005060000 0x05060000 0x050a9fff Private Memory Readable, Writable True False False
pagefile_0x0000000005060000 0x05060000 0x05060fff Pagefile Backed Memory Readable, Writable True False False
counters.dat 0x05070000 0x05070fff Memory Mapped File Readable, Writable True False False
private_0x0000000005080000 0x05080000 0x050bffff Private Memory Readable, Writable True False False
private_0x00000000050a0000 0x050a0000 0x050dffff Private Memory Readable, Writable True False False
pagefile_0x00000000050c0000 0x050c0000 0x050cffff Pagefile Backed Memory Readable True False False
pagefile_0x00000000050d0000 0x050d0000 0x050d0fff Pagefile Backed Memory Readable, Writable True False False
locale.nls 0x050e0000 0x0519dfff Memory Mapped File Readable False False False
private_0x00000000051a0000 0x051a0000 0x051dffff Private Memory Readable, Writable True False False
private_0x00000000051e0000 0x051e0000 0x0521ffff Private Memory Readable, Writable True False False
imm32.dll 0x05220000 0x05249fff Memory Mapped File Readable False False False
private_0x0000000005220000 0x05220000 0x05220fff Private Memory Readable, Writable True False False
private_0x0000000005230000 0x05230000 0x05230fff Private Memory Readable, Writable, Executable True False False
private_0x0000000005240000 0x05240000 0x05240fff Private Memory Readable, Writable True False False
private_0x0000000005240000 0x05240000 0x0527ffff Private Memory Readable, Writable True False False
private_0x0000000005280000 0x05280000 0x05283fff Private Memory Readable, Writable True False False
pagefile_0x0000000005290000 0x05290000 0x05291fff Pagefile Backed Memory Readable True False False
private_0x00000000052a0000 0x052a0000 0x052a3fff Private Memory Readable, Writable True False False
private_0x00000000052b0000 0x052b0000 0x052b6fff Private Memory Readable, Writable True False False
private_0x00000000052c0000 0x052c0000 0x052fffff Private Memory Readable, Writable True False False
private_0x0000000005300000 0x05300000 0x053fffff Private Memory Readable, Writable True False False
private_0x0000000005400000 0x05400000 0x054fffff Private Memory Readable, Writable True False False
pagefile_0x0000000005500000 0x05500000 0x05687fff Pagefile Backed Memory Readable True False False
private_0x0000000005690000 0x05690000 0x05714fff Private Memory Readable, Writable True False False
private_0x0000000005690000 0x05690000 0x056cffff Private Memory Readable, Writable True False False
private_0x00000000056d0000 0x056d0000 0x0570ffff Private Memory Readable, Writable True False False
private_0x0000000005710000 0x05710000 0x05714fff Private Memory Readable, Writable True False False
private_0x0000000005720000 0x05720000 0x0591ffff Private Memory Readable, Writable True False False
private_0x0000000005720000 0x05720000 0x0575ffff Private Memory Readable, Writable True False False
private_0x0000000005760000 0x05760000 0x0579ffff Private Memory Readable, Writable True False False
private_0x00000000057a0000 0x057a0000 0x057dffff Private Memory Readable, Writable True False False
mswsock.dll.mui 0x057e0000 0x057e2fff Memory Mapped File Readable False False False
pagefile_0x00000000057f0000 0x057f0000 0x057f1fff Pagefile Backed Memory Readable True False False
private_0x0000000005800000 0x05800000 0x058fffff Private Memory Readable, Writable True False False
pagefile_0x0000000005900000 0x05900000 0x05a80fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000005a90000 0x05a90000 0x06e8ffff Pagefile Backed Memory Readable True False False
private_0x0000000006e90000 0x06e90000 0x06ecffff Private Memory Readable, Writable True False False
crypt32.dll.mui 0x06ed0000 0x06ed9fff Memory Mapped File Readable False False False
private_0x0000000006f00000 0x06f00000 0x06ffffff Private Memory Readable, Writable True False False
sortdefault.nls 0x07000000 0x07336fff Memory Mapped File Readable False False False
private_0x0000000007340000 0x07340000 0x0743ffff Private Memory Readable, Writable True False False
private_0x0000000007440000 0x07440000 0x0753ffff Private Memory Readable, Writable True False False
private_0x0000000007540000 0x07540000 0x0763ffff Private Memory Readable, Writable True False False
private_0x0000000007640000 0x07640000 0x0773ffff Private Memory Readable, Writable True False False
private_0x0000000007740000 0x07740000 0x0783ffff Private Memory Readable, Writable True False False
private_0x0000000007840000 0x07840000 0x0793ffff Private Memory Readable, Writable True False False
private_0x0000000007940000 0x07940000 0x07a3ffff Private Memory Readable, Writable True False False
private_0x0000000007a40000 0x07a40000 0x07ad4fff Private Memory Readable, Writable True False False
private_0x0000000007a40000 0x07a40000 0x07a7ffff Private Memory Readable, Writable True False False
private_0x0000000007a80000 0x07a80000 0x07abffff Private Memory Readable, Writable True False False
private_0x0000000007ad0000 0x07ad0000 0x07ad4fff Private Memory Readable, Writable True False False
private_0x0000000007ae0000 0x07ae0000 0x07cdffff Private Memory Readable, Writable True False False
private_0x0000000007b00000 0x07b00000 0x07bfffff Private Memory Readable, Writable True False False
ole32.dll 0x07c00000 0x07ce8fff Memory Mapped File Readable False False False
private_0x0000000007c00000 0x07c00000 0x07c3ffff Private Memory Readable, Writable True False False
private_0x0000000007c40000 0x07c40000 0x07c7ffff Private Memory Readable, Writable True False False
private_0x0000000007c80000 0x07c80000 0x07cbffff Private Memory Readable, Writable True False False
private_0x0000000007cc0000 0x07cc0000 0x07cfffff Private Memory Readable, Writable True False False
private_0x0000000007d00000 0x07d00000 0x07d3ffff Private Memory Readable, Writable True False False
private_0x0000000007d40000 0x07d40000 0x07d7ffff Private Memory Readable, Writable True False False
private_0x0000000007e00000 0x07e00000 0x07efffff Private Memory Readable, Writable True False False
wow64cpu.dll 0x581b0000 0x581b7fff Memory Mapped File Readable, Writable, Executable False False False
wow64.dll 0x581c0000 0x5820efff Memory Mapped File Readable, Writable, Executable False False False
wow64win.dll 0x58210000 0x58282fff Memory Mapped File Readable, Writable, Executable False False False
ncryptsslp.dll 0x73a90000 0x73aa9fff Memory Mapped File Readable, Writable, Executable False False False
gpapi.dll 0x73ab0000 0x73acefff Memory Mapped File Readable, Writable, Executable False False False
ntasn1.dll 0x73ad0000 0x73af7fff Memory Mapped File Readable, Writable, Executable False False False
ncrypt.dll 0x73b00000 0x73b1ffff Memory Mapped File Readable, Writable, Executable False False False
schannel.dll 0x73b20000 0x73b7ffff Memory Mapped File Readable, Writable, Executable False False False
comctl32.dll 0x73b80000 0x73d88fff Memory Mapped File Readable, Writable, Executable False False False
fwpuclnt.dll 0x73d90000 0x73dd5fff Memory Mapped File Readable, Writable, Executable False False False
dnsapi.dll 0x73de0000 0x73e63fff Memory Mapped File Readable, Writable, Executable False False False
mswsock.dll 0x73e70000 0x73ebdfff Memory Mapped File Readable, Writable, Executable False False False
winhttp.dll 0x73ec0000 0x73f66fff Memory Mapped File Readable, Writable, Executable False False False
iertutil.dll 0x73f70000 0x74230fff Memory Mapped File Readable, Writable, Executable False False False
wininet.dll 0x74240000 0x74463fff Memory Mapped File Readable, Writable, Executable False False False
ntmarta.dll 0x74470000 0x74497fff Memory Mapped File Readable, Writable, Executable False False False
rsaenh.dll 0x744a0000 0x744cefff Memory Mapped File Readable, Writable, Executable False False False
cryptsp.dll 0x744d0000 0x744e2fff Memory Mapped File Readable, Writable, Executable False False False
dpapi.dll 0x744f0000 0x744f7fff Memory Mapped File Readable, Writable, Executable False False False
winnsi.dll 0x74520000 0x74527fff Memory Mapped File Readable, Writable, Executable False False False
uxtheme.dll 0x74530000 0x745a4fff Memory Mapped File Readable, Writable, Executable False False False
secur32.dll 0x745b0000 0x745b9fff Memory Mapped File Readable, Writable, Executable False False False
iphlpapi.dll 0x745c0000 0x745effff Memory Mapped File Readable, Writable, Executable False False False
ondemandconnroutehelper.dll 0x745f0000 0x74600fff Memory Mapped File Readable, Writable, Executable False False False
bcrypt.dll 0x74610000 0x7462afff Memory Mapped File Readable, Writable, Executable False False False
urlmon.dll 0x74630000 0x7478ffff Memory Mapped File Readable, Writable, Executable False False False
bcryptprimitives.dll 0x74840000 0x74898fff Memory Mapped File Readable, Writable, Executable False False False
cryptbase.dll 0x748a0000 0x748a9fff Memory Mapped File Readable, Writable, Executable False False False
sspicli.dll 0x748b0000 0x748cdfff Memory Mapped File Readable, Writable, Executable False False False
kernel32.dll 0x74990000 0x74a7ffff Memory Mapped File Readable, Writable, Executable False False False
rpcrt4.dll 0x74a80000 0x74b2bfff Memory Mapped File Readable, Writable, Executable False False False
nsi.dll 0x74ca0000 0x74ca6fff Memory Mapped File Readable, Writable, Executable False False False
gdi32.dll 0x74d10000 0x74e5cfff Memory Mapped File Readable, Writable, Executable False False False
windows.storage.dll 0x74e60000 0x7533cfff Memory Mapped File Readable, Writable, Executable False False False
sechost.dll 0x753a0000 0x753e2fff Memory Mapped File Readable, Writable, Executable False False False
msvcrt.dll 0x753f0000 0x754adfff Memory Mapped File Readable, Writable, Executable False False False
powrprof.dll 0x754c0000 0x75503fff Memory Mapped File Readable, Writable, Executable False False False
crypt32.dll 0x75510000 0x75684fff Memory Mapped File Readable, Writable, Executable False False False
psapi.dll 0x75780000 0x75785fff Memory Mapped File Readable, Writable, Executable False False False
ws2_32.dll 0x75790000 0x757ebfff Memory Mapped File Readable, Writable, Executable False False False
advapi32.dll 0x757f0000 0x7586afff Memory Mapped File Readable, Writable, Executable False False False
msasn1.dll 0x758b0000 0x758bdfff Memory Mapped File Readable, Writable, Executable False False False
kernel.appcore.dll 0x75960000 0x7596bfff Memory Mapped File Readable, Writable, Executable False False False
shcore.dll 0x75a00000 0x75a8cfff Memory Mapped File Readable, Writable, Executable False False False
combase.dll 0x75a90000 0x75c49fff Memory Mapped File Readable, Writable, Executable False False False
profapi.dll 0x75c50000 0x75c5efff Memory Mapped File Readable, Writable, Executable False False False
imm32.dll 0x75c60000 0x75c8afff Memory Mapped File Readable, Writable, Executable False False False
user32.dll 0x75c90000 0x75dcffff Memory Mapped File Readable, Writable, Executable False False False
oleaut32.dll 0x75dd0000 0x75e61fff Memory Mapped File Readable, Writable, Executable False False False
kernelbase.dll 0x75e70000 0x75fe5fff Memory Mapped File Readable, Writable, Executable False False False
shell32.dll 0x76050000 0x7740efff Memory Mapped File Readable, Writable, Executable False False False
shlwapi.dll 0x77410000 0x77453fff Memory Mapped File Readable, Writable, Executable False False False
msctf.dll 0x77680000 0x7779ffff Memory Mapped File Readable, Writable, Executable False False False
ntdll.dll 0x777a0000 0x77918fff Memory Mapped File Readable, Writable, Executable False False False
private_0x000000007ee5b000 0x7ee5b000 0x7ee5dfff Private Memory Readable, Writable True False False
private_0x000000007ee5e000 0x7ee5e000 0x7ee60fff Private Memory Readable, Writable True False False
private_0x000000007ee61000 0x7ee61000 0x7ee63fff Private Memory Readable, Writable True False False
private_0x000000007ee64000 0x7ee64000 0x7ee66fff Private Memory Readable, Writable True False False
private_0x000000007ee67000 0x7ee67000 0x7ee69fff Private Memory Readable, Writable True False False
private_0x000000007ee6a000 0x7ee6a000 0x7ee6cfff Private Memory Readable, Writable True False False
private_0x000000007ee6d000 0x7ee6d000 0x7ee6ffff Private Memory Readable, Writable True False False
pagefile_0x000000007ee70000 0x7ee70000 0x7ef6ffff Pagefile Backed Memory Readable True False False
pagefile_0x000000007ef70000 0x7ef70000 0x7ef92fff Pagefile Backed Memory Readable True False False
private_0x000000007ef94000 0x7ef94000 0x7ef96fff Private Memory Readable, Writable True False False
private_0x000000007ef97000 0x7ef97000 0x7ef97fff Private Memory Readable, Writable True False False
private_0x000000007ef99000 0x7ef99000 0x7ef9bfff Private Memory Readable, Writable True False False
private_0x000000007ef9c000 0x7ef9c000 0x7ef9efff Private Memory Readable, Writable True False False
private_0x000000007ef9f000 0x7ef9f000 0x7ef9ffff Private Memory Readable, Writable True False False
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False
private_0x000000007fff0000 0x7fff0000 0x7dfe18a2ffff Private Memory Readable True False False
pagefile_0x00007dfe18a30000 0x7dfe18a30000 0x7ffe18a2ffff Pagefile Backed Memory - True False False
ntdll.dll 0x7ffe18a30000 0x7ffe18bf1fff Memory Mapped File Readable, Writable, Executable False False False
private_0x00007ffe18bf2000 0x7ffe18bf2000 0x7ffffffeffff Private Memory Readable True False False
For performance reasons, the remaining 121 entries are omitted.
The remaining entries can be found in flog.txt.
Injection Information
+
Injection Type Source Process Source Os Thread ID Injection Info Success Count Logfile
Modify Memory #13: c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\containers.exe 0x204 address = 0x5040000, size = 131072 True 1
Fn
Data
Modify Memory #13: c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\containers.exe 0x204 address = 0x505b6a4, size = 4 True 1
Fn
Data
Modify Memory #13: c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\containers.exe 0x204 address = 0x505b7c0, size = 4 True 1
Fn
Data
Modify Memory #13: c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\containers.exe 0x204 address = 0x505bdb4, size = 4 True 1
Fn
Data
Create Remote Thread #13: c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\containers.exe 0x204 address = 0x504b50c True 1
Fn
Created Files
+
Filename File Size Hash Values YARA Match Actions
c:\users\ciihmn~1\appdata\local\temp\cabb597.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\cabb598.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\cabb599.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\cabb59a.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\cabb59b.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\cabb5ac.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\cabb5ad.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\cabb5be.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\cabb5bf.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\cabb5c0.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\sofb65d.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\cabb597.tmp 0.32 KB (324 bytes) MD5: 88fc36caeab09fb0080837c992f83183
SHA1: 44e3c85cf97e9bdace6612865940024f28bebf75
SHA256: 8d6b0fbf64768994f5555ce3676ba7c89d5bacdbf963f724b797e271981204fd
False
c:\users\ciihmn~1\appdata\local\temp\cabb598.tmp 0.07 KB (68 bytes) MD5: 645ae58ef1c1e4da7c05e45c57912c9b
SHA1: 54ac5716b662c5f00d034708be935983bc0d3763
SHA256: 12f4c98eda0ff3e8fb5d0e9a31fd94225f64728a5f10cbad6fbd523d5fa7f775
False
c:\users\ciihmn~1\appdata\local\temp\cabb59a.tmp 0.07 KB (68 bytes) MD5: 645ae58ef1c1e4da7c05e45c57912c9b
SHA1: 54ac5716b662c5f00d034708be935983bc0d3763
SHA256: 12f4c98eda0ff3e8fb5d0e9a31fd94225f64728a5f10cbad6fbd523d5fa7f775
False
c:\users\ciihmn~1\appdata\local\temp\flab587.tmp 0.43 KB (436 bytes) MD5: d7859b496da03c0e61243641c65b6510
SHA1: 0dea29cb67e5b6f628a3e440f10421d8df0ef574
SHA256: da9736e8fac8dba275bd2ae8fe5385b06de8bbf0267ddd628ea603f187e0fc93
False
c:\users\ciihmn~1\appdata\local\temp\cabb599.tmp 0.32 KB (324 bytes) MD5: 6f2eb04f33941fc3a5c436f5fffc8c50
SHA1: c58ac82242d6f178ceeb9324254c6db8f8a88f00
SHA256: 3bd89fc970eb49f1b132264519ba129e0024550bafc6bf76f74ea99be344c9b7
False
c:\users\ciihmn~1\appdata\local\temp\cabb59b.tmp 0.01 KB (8 bytes) MD5: 7b5b6c7bf41e6055abd4e74476e08575
SHA1: 5c05d3a68f69258d236f6d9677cc0a42e399e7cc
SHA256: 2392619f397925a165cf31634781d68b006c396611c425f6c67f338356e47f8f
False
c:\users\ciihmn~1\appdata\local\temp\sofb65d.tmp 1.01 KB (1038 bytes) MD5: b8721ab85c8da93e999be95a72cb0842
SHA1: f9a9ac562a4c289a4d3e815bb708c146a4a22fcc
SHA256: c8baea7bbcd82d9bceb0396e16650d95dfa381bbd5bec6c3169b56af4d9e4e6e
False
Host Behavior
COM (19)
+
Operation Class Interface Additional Information Success Count Logfile
Create WBEMLocator IWbemLocator cls_context = CLSCTX_INPROC_SERVER, CLSCTX_NO_CODE_DOWNLOAD, CLSCTX_NO_FAILURE_LOG True 6
Fn
Create 3C374A40-BAE4-11CF-BF7D-00AA006946EE AFA0DC11-C313-11D0-831A-00C04FD5AE38 cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER True 1
Fn
Execute WBEMLocator IWbemLocator method_name = ConnectServer, network_resource = ROOT\SecurityCenter True 1
Fn
Execute WBEMLocator IWbemServices method_name = ExecQuery True 1
Fn
Execute WBEMLocator IWbemLocator method_name = ConnectServer, network_resource = ROOT\SecurityCenter2 True 1
Fn
Execute WBEMLocator IWbemServices method_name = ExecQuery True 1
Fn
Execute WBEMLocator IWbemLocator method_name = ConnectServer, network_resource = R True 1
Fn
Execute WBEMLocator IWbemServices method_name = ExecQuery, query = S True 1
Fn
Execute WBEMLocator IWbemLocator method_name = ConnectServer, network_resource = ROOT\SecurityCenter2 True 1
Fn
Execute WBEMLocator IWbemServices method_name = ExecQuery, query = S True 1
Fn
Execute WBEMLocator IWbemLocator method_name = ConnectServer, network_resource = R True 1
Fn
Execute WBEMLocator IWbemServices method_name = ExecQuery, query = Select * from FirewallProduct True 2
Fn
Execute WBEMLocator IWbemLocator method_name = ConnectServer, network_resource = ROOT\SecurityCenter2 True 1
Fn
File (3390)
+
Operation Filename Additional Information Success Count Logfile
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\containers.exe desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 6
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 6
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 5
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 5
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.tmp desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 13
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 13
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 3
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 3
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 4
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 4
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\profiles.ini desired_access = FILE_READ_ATTRIBUTES True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\addons.json desired_access = FILE_READ_ATTRIBUTES True 4
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\addons.json desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\AlternateServices.txt desired_access = FILE_READ_ATTRIBUTES True 4
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\AlternateServices.txt desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\blocklist-addons.json desired_access = FILE_READ_ATTRIBUTES True 4
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\blocklist-addons.json desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\blocklist-gfx.json desired_access = FILE_READ_ATTRIBUTES True 4
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\blocklist-gfx.json desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\blocklist-plugins.json desired_access = FILE_READ_ATTRIBUTES True 4
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\blocklist-plugins.json desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\blocklist.xml desired_access = FILE_READ_ATTRIBUTES True 4
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\blocklist.xml desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\bookmarkbackups\bookmarks-2017-05-24_14_kL0o5I+exwq3TXuLDkMF9w==.jsonlz4 desired_access = FILE_READ_ATTRIBUTES True 4
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\bookmarkbackups\bookmarks-2017-05-24_14_kL0o5I+exwq3TXuLDkMF9w==.jsonlz4 desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\cert8.db desired_access = FILE_READ_ATTRIBUTES True 4
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\cert8.db desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\compatibility.ini desired_access = FILE_READ_ATTRIBUTES True 4
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\compatibility.ini desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\containers.json desired_access = FILE_READ_ATTRIBUTES True 4
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\containers.json desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\content-prefs.sqlite desired_access = FILE_READ_ATTRIBUTES True 4
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\content-prefs.sqlite desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\cookies.sqlite desired_access = FILE_READ_ATTRIBUTES True 4
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\cookies.sqlite desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\crashes\store.json.mozlz4 desired_access = FILE_READ_ATTRIBUTES True 4
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\crashes\store.json.mozlz4 desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\1495592260754.fe0bc3a3-866c-458a-ad46-a730981653d6.main.jsonlz4 desired_access = FILE_READ_ATTRIBUTES True 4
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\1495592260754.fe0bc3a3-866c-458a-ad46-a730981653d6.main.jsonlz4 desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\1495592289365.f6bd7dec-4421-47ce-b829-1080689ec7ca.main.jsonlz4 desired_access = FILE_READ_ATTRIBUTES True 4
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\1495592289365.f6bd7dec-4421-47ce-b829-1080689ec7ca.main.jsonlz4 desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\1495596278120.31e5ce24-c2bf-486b-b29e-534113b7c6dc.main.jsonlz4 desired_access = FILE_READ_ATTRIBUTES True 4
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\1495596278120.31e5ce24-c2bf-486b-b29e-534113b7c6dc.main.jsonlz4 desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\1495597242414.2e462298-aeda-4ee5-bf23-a73bdf74947f.main.jsonlz4 desired_access = FILE_READ_ATTRIBUTES True 4
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\1495597242414.2e462298-aeda-4ee5-bf23-a73bdf74947f.main.jsonlz4 desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\1495597261897.a7b36bf3-f762-448c-874e-9388e91739b4.main.jsonlz4 desired_access = FILE_READ_ATTRIBUTES True 4
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\1495597261897.a7b36bf3-f762-448c-874e-9388e91739b4.main.jsonlz4 desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\1495599783008.23c86977-85eb-412a-ae39-c4c6ea9a5744.main.jsonlz4 desired_access = FILE_READ_ATTRIBUTES True 4
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\1495599783008.23c86977-85eb-412a-ae39-c4c6ea9a5744.main.jsonlz4 desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\1495600032629.d896fec9-1a7a-4db1-a3a2-e46d95b631a5.main.jsonlz4 desired_access = FILE_READ_ATTRIBUTES True 4
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\1495600032629.d896fec9-1a7a-4db1-a3a2-e46d95b631a5.main.jsonlz4 desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\session-state.json desired_access = FILE_READ_ATTRIBUTES True 4
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\session-state.json desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\state.json desired_access = FILE_READ_ATTRIBUTES True 4
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\state.json desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\extensions.ini desired_access = FILE_READ_ATTRIBUTES True 4
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\extensions.ini desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\extensions.json desired_access = FILE_READ_ATTRIBUTES True 4
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\extensions.json desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\formhistory.sqlite desired_access = FILE_READ_ATTRIBUTES True 4
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\formhistory.sqlite desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-gmpopenh264\1.6\gmpopenh264.dll desired_access = FILE_READ_ATTRIBUTES True 4
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-gmpopenh264\1.6\gmpopenh264.dll desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-gmpopenh264\1.6\gmpopenh264.info desired_access = FILE_READ_ATTRIBUTES True 4
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-gmpopenh264\1.6\gmpopenh264.info desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-widevinecdm\1.4.8.903\LICENSE.txt desired_access = FILE_READ_ATTRIBUTES True 4
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-widevinecdm\1.4.8.903\LICENSE.txt desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-widevinecdm\1.4.8.903\manifest.json desired_access = FILE_READ_ATTRIBUTES True 4
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-widevinecdm\1.4.8.903\manifest.json desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-widevinecdm\1.4.8.903\widevinecdm.dll desired_access = FILE_READ_ATTRIBUTES True 4
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-widevinecdm\1.4.8.903\widevinecdm.dll desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-widevinecdm\1.4.8.903\widevinecdm.dll.lib desired_access = FILE_READ_ATTRIBUTES True 4
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-widevinecdm\1.4.8.903\widevinecdm.dll.lib desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\key3.db desired_access = FILE_READ_ATTRIBUTES True 4
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\key3.db desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\kinto.sqlite desired_access = FILE_READ_ATTRIBUTES True 4
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\kinto.sqlite desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\mimeTypes.rdf desired_access = FILE_READ_ATTRIBUTES True 4
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\mimeTypes.rdf desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\parent.lock desired_access = FILE_READ_ATTRIBUTES True 4
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\parent.lock desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\permissions.sqlite desired_access = FILE_READ_ATTRIBUTES True 4
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\permissions.sqlite desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\places.sqlite desired_access = FILE_READ_ATTRIBUTES True 4
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\places.sqlite desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\pluginreg.dat desired_access = FILE_READ_ATTRIBUTES True 4
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\pluginreg.dat desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\prefs.js desired_access = FILE_READ_ATTRIBUTES True 4
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\prefs.js desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\revocations.txt desired_access = FILE_READ_ATTRIBUTES True 4
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\revocations.txt desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\saved-telemetry-pings\d896fec9-1a7a-4db1-a3a2-e46d95b631a5 desired_access = FILE_READ_ATTRIBUTES True 4
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\saved-telemetry-pings\d896fec9-1a7a-4db1-a3a2-e46d95b631a5 desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\search.json.mozlz4 desired_access = FILE_READ_ATTRIBUTES True 4
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\search.json.mozlz4 desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\secmod.db desired_access = FILE_READ_ATTRIBUTES True 4
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\secmod.db desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\SecurityPreloadState.txt desired_access = FILE_READ_ATTRIBUTES True 4
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\SecurityPreloadState.txt desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\sessionCheckpoints.json desired_access = FILE_READ_ATTRIBUTES True 4
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\sessionCheckpoints.json desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\sessionstore-backups\previous.js desired_access = FILE_READ_ATTRIBUTES True 4
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\sessionstore-backups\previous.js desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\sessionstore-backups\upgrade.js-20170518000419 desired_access = FILE_READ_ATTRIBUTES True 4
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\sessionstore-backups\upgrade.js-20170518000419 desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\sessionstore.js desired_access = FILE_READ_ATTRIBUTES True 4
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\sessionstore.js desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\SiteSecurityServiceState.txt desired_access = FILE_READ_ATTRIBUTES True 4
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\SiteSecurityServiceState.txt desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\chrome\.metadata desired_access = FILE_READ_ATTRIBUTES True 4
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\chrome\.metadata desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\chrome\.metadata-v2 desired_access = FILE_READ_ATTRIBUTES True 4
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\chrome\.metadata-v2 desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\chrome\idb\2918063365piupsah.sqlite desired_access = FILE_READ_ATTRIBUTES True 4
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\chrome\idb\2918063365piupsah.sqlite desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\moz-safe-about+home\.metadata desired_access = FILE_READ_ATTRIBUTES True 4
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\moz-safe-about+home\.metadata desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\moz-safe-about+home\.metadata-v2 desired_access = FILE_READ_ATTRIBUTES True 4
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\moz-safe-about+home\.metadata-v2 desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\moz-safe-about+home\idb\818200132aebmoouht.files\1 desired_access = FILE_READ_ATTRIBUTES True 4
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\moz-safe-about+home\idb\818200132aebmoouht.files\1 desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\moz-safe-about+home\idb\818200132aebmoouht.sqlite desired_access = FILE_READ_ATTRIBUTES True 4
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\moz-safe-about+home\idb\818200132aebmoouht.sqlite desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage.sqlite desired_access = FILE_READ_ATTRIBUTES True 4
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage.sqlite desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\times.json desired_access = FILE_READ_ATTRIBUTES True 4
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\times.json desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\webappsstore.sqlite desired_access = FILE_READ_ATTRIBUTES True 4
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\webappsstore.sqlite desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\xulstore.json desired_access = FILE_READ_ATTRIBUTES True 4
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\xulstore.json desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Crash Reports\InstallTime20170518000419 desired_access = FILE_READ_ATTRIBUTES True 4
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Crash Reports\InstallTime20170518000419 desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\addons.json desired_access = FILE_READ_ATTRIBUTES True 4
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\addons.json desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\AlternateServices.txt desired_access = FILE_READ_ATTRIBUTES True 4
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\AlternateServices.txt desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\blocklist-addons.json desired_access = FILE_READ_ATTRIBUTES True 4
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\blocklist-addons.json desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\blocklist-gfx.json desired_access = FILE_READ_ATTRIBUTES True 4
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\blocklist-gfx.json desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\blocklist-plugins.json desired_access = FILE_READ_ATTRIBUTES True 4
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\blocklist-plugins.json desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\blocklist.xml desired_access = FILE_READ_ATTRIBUTES True 4
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\blocklist.xml desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\bookmarkbackups\bookmarks-2017-05-24_14_kL0o5I+exwq3TXuLDkMF9w==.jsonlz4 desired_access = FILE_READ_ATTRIBUTES True 4
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\bookmarkbackups\bookmarks-2017-05-24_14_kL0o5I+exwq3TXuLDkMF9w==.jsonlz4 desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\cert8.db desired_access = FILE_READ_ATTRIBUTES True 4
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\cert8.db desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\compatibility.ini desired_access = FILE_READ_ATTRIBUTES True 4
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\compatibility.ini desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\containers.json desired_access = FILE_READ_ATTRIBUTES True 4
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\containers.json desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\content-prefs.sqlite desired_access = FILE_READ_ATTRIBUTES True 4
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\content-prefs.sqlite desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\cookies.sqlite desired_access = FILE_READ_ATTRIBUTES True 4
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\cookies.sqlite desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\crashes\store.json.mozlz4 desired_access = FILE_READ_ATTRIBUTES True 4
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\crashes\store.json.mozlz4 desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\1495592260754.fe0bc3a3-866c-458a-ad46-a730981653d6.main.jsonlz4 desired_access = FILE_READ_ATTRIBUTES True 4
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\1495592260754.fe0bc3a3-866c-458a-ad46-a730981653d6.main.jsonlz4 desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\1495592289365.f6bd7dec-4421-47ce-b829-1080689ec7ca.main.jsonlz4 desired_access = FILE_READ_ATTRIBUTES True 4
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\1495592289365.f6bd7dec-4421-47ce-b829-1080689ec7ca.main.jsonlz4 desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\1495596278120.31e5ce24-c2bf-486b-b29e-534113b7c6dc.main.jsonlz4 desired_access = FILE_READ_ATTRIBUTES True 4
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\1495596278120.31e5ce24-c2bf-486b-b29e-534113b7c6dc.main.jsonlz4 desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\1495597242414.2e462298-aeda-4ee5-bf23-a73bdf74947f.main.jsonlz4 desired_access = FILE_READ_ATTRIBUTES True 4
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\1495597242414.2e462298-aeda-4ee5-bf23-a73bdf74947f.main.jsonlz4 desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\1495597261897.a7b36bf3-f762-448c-874e-9388e91739b4.main.jsonlz4 desired_access = FILE_READ_ATTRIBUTES True 4
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\1495597261897.a7b36bf3-f762-448c-874e-9388e91739b4.main.jsonlz4 desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\1495599783008.23c86977-85eb-412a-ae39-c4c6ea9a5744.main.jsonlz4 desired_access = FILE_READ_ATTRIBUTES True 4
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\1495599783008.23c86977-85eb-412a-ae39-c4c6ea9a5744.main.jsonlz4 desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\1495600032629.d896fec9-1a7a-4db1-a3a2-e46d95b631a5.main.jsonlz4 desired_access = FILE_READ_ATTRIBUTES True 4
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\1495600032629.d896fec9-1a7a-4db1-a3a2-e46d95b631a5.main.jsonlz4 desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\session-state.json desired_access = FILE_READ_ATTRIBUTES True 4
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\session-state.json desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\state.json desired_access = FILE_READ_ATTRIBUTES True 4
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\state.json desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\extensions.ini desired_access = FILE_READ_ATTRIBUTES True 4
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\extensions.ini desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\extensions.json desired_access = FILE_READ_ATTRIBUTES True 4
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\extensions.json desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\formhistory.sqlite desired_access = FILE_READ_ATTRIBUTES True 4
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\formhistory.sqlite desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-gmpopenh264\1.6\gmpopenh264.dll desired_access = FILE_READ_ATTRIBUTES True 4
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-gmpopenh264\1.6\gmpopenh264.dll desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-gmpopenh264\1.6\gmpopenh264.info desired_access = FILE_READ_ATTRIBUTES True 4
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-gmpopenh264\1.6\gmpopenh264.info desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-widevinecdm\1.4.8.903\LICENSE.txt desired_access = FILE_READ_ATTRIBUTES True 4
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-widevinecdm\1.4.8.903\LICENSE.txt desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-widevinecdm\1.4.8.903\manifest.json desired_access = FILE_READ_ATTRIBUTES True 4
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-widevinecdm\1.4.8.903\manifest.json desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-widevinecdm\1.4.8.903\widevinecdm.dll desired_access = FILE_READ_ATTRIBUTES True 4
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-widevinecdm\1.4.8.903\widevinecdm.dll desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-widevinecdm\1.4.8.903\widevinecdm.dll.lib desired_access = FILE_READ_ATTRIBUTES True 4
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-widevinecdm\1.4.8.903\widevinecdm.dll.lib desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\key3.db desired_access = FILE_READ_ATTRIBUTES True 4
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\key3.db desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\kinto.sqlite desired_access = FILE_READ_ATTRIBUTES True 4
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\kinto.sqlite desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\mimeTypes.rdf desired_access = FILE_READ_ATTRIBUTES True 4
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\mimeTypes.rdf desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\parent.lock desired_access = FILE_READ_ATTRIBUTES True 4
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\parent.lock desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\permissions.sqlite desired_access = FILE_READ_ATTRIBUTES True 4
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\permissions.sqlite desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\places.sqlite desired_access = FILE_READ_ATTRIBUTES True 4
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\places.sqlite desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\pluginreg.dat desired_access = FILE_READ_ATTRIBUTES True 4
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\pluginreg.dat desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\prefs.js desired_access = FILE_READ_ATTRIBUTES True 4
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\prefs.js desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\revocations.txt desired_access = FILE_READ_ATTRIBUTES True 4
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\revocations.txt desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\saved-telemetry-pings\d896fec9-1a7a-4db1-a3a2-e46d95b631a5 desired_access = FILE_READ_ATTRIBUTES True 4
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\saved-telemetry-pings\d896fec9-1a7a-4db1-a3a2-e46d95b631a5 desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\search.json.mozlz4 desired_access = FILE_READ_ATTRIBUTES True 4
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\search.json.mozlz4 desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\secmod.db desired_access = FILE_READ_ATTRIBUTES True 4
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\secmod.db desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\SecurityPreloadState.txt desired_access = FILE_READ_ATTRIBUTES True 4
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\SecurityPreloadState.txt desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\sessionCheckpoints.json desired_access = FILE_READ_ATTRIBUTES True 4
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\sessionCheckpoints.json desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\sessionstore-backups\previous.js desired_access = FILE_READ_ATTRIBUTES True 4
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\sessionstore-backups\previous.js desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\sessionstore-backups\upgrade.js-20170518000419 desired_access = FILE_READ_ATTRIBUTES True 4
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\sessionstore-backups\upgrade.js-20170518000419 desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\sessionstore.js desired_access = FILE_READ_ATTRIBUTES True 4
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\sessionstore.js desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\SiteSecurityServiceState.txt desired_access = FILE_READ_ATTRIBUTES True 4
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\SiteSecurityServiceState.txt desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\chrome\.metadata desired_access = FILE_READ_ATTRIBUTES True 4
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\chrome\.metadata desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\chrome\.metadata-v2 desired_access = FILE_READ_ATTRIBUTES True 4
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\chrome\.metadata-v2 desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\chrome\idb\2918063365piupsah.sqlite desired_access = FILE_READ_ATTRIBUTES True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\chrome\idb\2918063365piupsah.sqlite desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\moz-safe-about+home\.metadata desired_access = FILE_READ_ATTRIBUTES True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\moz-safe-about+home\.metadata desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\moz-safe-about+home\.metadata-v2 desired_access = FILE_READ_ATTRIBUTES True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\moz-safe-about+home\.metadata-v2 desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\moz-safe-about+home\idb\818200132aebmoouht.files\1 desired_access = FILE_READ_ATTRIBUTES True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\moz-safe-about+home\idb\818200132aebmoouht.files\1 desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\moz-safe-about+home\idb\818200132aebmoouht.sqlite desired_access = FILE_READ_ATTRIBUTES True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\moz-safe-about+home\idb\818200132aebmoouht.sqlite desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage.sqlite desired_access = FILE_READ_ATTRIBUTES True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage.sqlite desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\times.json desired_access = FILE_READ_ATTRIBUTES True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\times.json desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\webappsstore.sqlite desired_access = FILE_READ_ATTRIBUTES True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\webappsstore.sqlite desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\xulstore.json desired_access = FILE_READ_ATTRIBUTES True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\xulstore.json desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\\profiles.ini desired_access = FILE_READ_ATTRIBUTES True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\\profiles.ini desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\profiles.ini desired_access = FILE_READ_ATTRIBUTES True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\addons.json desired_access = FILE_READ_ATTRIBUTES True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\addons.json desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\AlternateServices.txt desired_access = FILE_READ_ATTRIBUTES True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\AlternateServices.txt desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\blocklist-addons.json desired_access = FILE_READ_ATTRIBUTES True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\blocklist-addons.json desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\blocklist-gfx.json desired_access = FILE_READ_ATTRIBUTES True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\blocklist-gfx.json desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\blocklist-plugins.json desired_access = FILE_READ_ATTRIBUTES True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\blocklist-plugins.json desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\blocklist.xml desired_access = FILE_READ_ATTRIBUTES True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\blocklist.xml desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\bookmarkbackups\bookmarks-2017-05-24_14_kL0o5I+exwq3TXuLDkMF9w==.jsonlz4 desired_access = FILE_READ_ATTRIBUTES True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\bookmarkbackups\bookmarks-2017-05-24_14_kL0o5I+exwq3TXuLDkMF9w==.jsonlz4 desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\cert8.db desired_access = FILE_READ_ATTRIBUTES True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\cert8.db desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\compatibility.ini desired_access = FILE_READ_ATTRIBUTES True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\compatibility.ini desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\containers.json desired_access = FILE_READ_ATTRIBUTES True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\containers.json desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\content-prefs.sqlite desired_access = FILE_READ_ATTRIBUTES True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\content-prefs.sqlite desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\cookies.sqlite desired_access = FILE_READ_ATTRIBUTES True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\cookies.sqlite desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\crashes\store.json.mozlz4 desired_access = FILE_READ_ATTRIBUTES True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\crashes\store.json.mozlz4 desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\1495592260754.fe0bc3a3-866c-458a-ad46-a730981653d6.main.jsonlz4 desired_access = FILE_READ_ATTRIBUTES True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\1495592260754.fe0bc3a3-866c-458a-ad46-a730981653d6.main.jsonlz4 desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\1495592289365.f6bd7dec-4421-47ce-b829-1080689ec7ca.main.jsonlz4 desired_access = FILE_READ_ATTRIBUTES True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\1495592289365.f6bd7dec-4421-47ce-b829-1080689ec7ca.main.jsonlz4 desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\1495596278120.31e5ce24-c2bf-486b-b29e-534113b7c6dc.main.jsonlz4 desired_access = FILE_READ_ATTRIBUTES True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\1495596278120.31e5ce24-c2bf-486b-b29e-534113b7c6dc.main.jsonlz4 desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\1495597242414.2e462298-aeda-4ee5-bf23-a73bdf74947f.main.jsonlz4 desired_access = FILE_READ_ATTRIBUTES True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\1495597242414.2e462298-aeda-4ee5-bf23-a73bdf74947f.main.jsonlz4 desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\1495597261897.a7b36bf3-f762-448c-874e-9388e91739b4.main.jsonlz4 desired_access = FILE_READ_ATTRIBUTES True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\1495597261897.a7b36bf3-f762-448c-874e-9388e91739b4.main.jsonlz4 desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\1495599783008.23c86977-85eb-412a-ae39-c4c6ea9a5744.main.jsonlz4 desired_access = FILE_READ_ATTRIBUTES True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\1495599783008.23c86977-85eb-412a-ae39-c4c6ea9a5744.main.jsonlz4 desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\1495600032629.d896fec9-1a7a-4db1-a3a2-e46d95b631a5.main.jsonlz4 desired_access = FILE_READ_ATTRIBUTES True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\1495600032629.d896fec9-1a7a-4db1-a3a2-e46d95b631a5.main.jsonlz4 desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\session-state.json desired_access = FILE_READ_ATTRIBUTES True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\session-state.json desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\state.json desired_access = FILE_READ_ATTRIBUTES True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\state.json desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\extensions.ini desired_access = FILE_READ_ATTRIBUTES True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\extensions.ini desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\extensions.json desired_access = FILE_READ_ATTRIBUTES True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\extensions.json desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\formhistory.sqlite desired_access = FILE_READ_ATTRIBUTES True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\formhistory.sqlite desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-gmpopenh264\1.6\gmpopenh264.dll desired_access = FILE_READ_ATTRIBUTES True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-gmpopenh264\1.6\gmpopenh264.dll desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-gmpopenh264\1.6\gmpopenh264.info desired_access = FILE_READ_ATTRIBUTES True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-gmpopenh264\1.6\gmpopenh264.info desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-widevinecdm\1.4.8.903\LICENSE.txt desired_access = FILE_READ_ATTRIBUTES True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-widevinecdm\1.4.8.903\LICENSE.txt desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-widevinecdm\1.4.8.903\manifest.json desired_access = FILE_READ_ATTRIBUTES True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-widevinecdm\1.4.8.903\manifest.json desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-widevinecdm\1.4.8.903\widevinecdm.dll desired_access = FILE_READ_ATTRIBUTES True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-widevinecdm\1.4.8.903\widevinecdm.dll desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-widevinecdm\1.4.8.903\widevinecdm.dll.lib desired_access = FILE_READ_ATTRIBUTES True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-widevinecdm\1.4.8.903\widevinecdm.dll.lib desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\key3.db desired_access = FILE_READ_ATTRIBUTES True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\key3.db desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\kinto.sqlite desired_access = FILE_READ_ATTRIBUTES True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\kinto.sqlite desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\mimeTypes.rdf desired_access = FILE_READ_ATTRIBUTES True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\mimeTypes.rdf desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\parent.lock desired_access = FILE_READ_ATTRIBUTES True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\parent.lock desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\permissions.sqlite desired_access = FILE_READ_ATTRIBUTES True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\permissions.sqlite desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\places.sqlite desired_access = FILE_READ_ATTRIBUTES True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\places.sqlite desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\pluginreg.dat desired_access = FILE_READ_ATTRIBUTES True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\pluginreg.dat desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\prefs.js desired_access = FILE_READ_ATTRIBUTES True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\prefs.js desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\revocations.txt desired_access = FILE_READ_ATTRIBUTES True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\revocations.txt desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\saved-telemetry-pings\d896fec9-1a7a-4db1-a3a2-e46d95b631a5 desired_access = FILE_READ_ATTRIBUTES True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\saved-telemetry-pings\d896fec9-1a7a-4db1-a3a2-e46d95b631a5 desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\search.json.mozlz4 desired_access = FILE_READ_ATTRIBUTES True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\search.json.mozlz4 desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\secmod.db desired_access = FILE_READ_ATTRIBUTES True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\secmod.db desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\SecurityPreloadState.txt desired_access = FILE_READ_ATTRIBUTES True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\SecurityPreloadState.txt desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\sessionCheckpoints.json desired_access = FILE_READ_ATTRIBUTES True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\sessionCheckpoints.json desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\sessionstore-backups\previous.js desired_access = FILE_READ_ATTRIBUTES True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\sessionstore-backups\previous.js desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\sessionstore-backups\upgrade.js-20170518000419 desired_access = FILE_READ_ATTRIBUTES True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\sessionstore-backups\upgrade.js-20170518000419 desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\sessionstore.js desired_access = FILE_READ_ATTRIBUTES True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\sessionstore.js desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\SiteSecurityServiceState.txt desired_access = FILE_READ_ATTRIBUTES True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\SiteSecurityServiceState.txt desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\chrome\.metadata desired_access = FILE_READ_ATTRIBUTES True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\chrome\.metadata desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\chrome\.metadata-v2 desired_access = FILE_READ_ATTRIBUTES True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\chrome\.metadata-v2 desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\chrome\idb\2918063365piupsah.sqlite desired_access = FILE_READ_ATTRIBUTES True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\chrome\idb\2918063365piupsah.sqlite desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\moz-safe-about+home\.metadata desired_access = FILE_READ_ATTRIBUTES True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\moz-safe-about+home\.metadata desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\moz-safe-about+home\.metadata-v2 desired_access = FILE_READ_ATTRIBUTES True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\moz-safe-about+home\.metadata-v2 desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\moz-safe-about+home\idb\818200132aebmoouht.files\1 desired_access = FILE_READ_ATTRIBUTES True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\moz-safe-about+home\idb\818200132aebmoouht.files\1 desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\moz-safe-about+home\idb\818200132aebmoouht.sqlite desired_access = FILE_READ_ATTRIBUTES True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\moz-safe-about+home\idb\818200132aebmoouht.sqlite desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage.sqlite desired_access = FILE_READ_ATTRIBUTES True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage.sqlite desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\times.json desired_access = FILE_READ_ATTRIBUTES True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\times.json desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\webappsstore.sqlite desired_access = FILE_READ_ATTRIBUTES True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\webappsstore.sqlite desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\xulstore.json desired_access = FILE_READ_ATTRIBUTES True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\xulstore.json desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Crash Reports\InstallTime20170518000419 desired_access = FILE_READ_ATTRIBUTES True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Crash Reports\InstallTime20170518000419 desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\addons.json desired_access = FILE_READ_ATTRIBUTES True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\addons.json desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\AlternateServices.txt desired_access = FILE_READ_ATTRIBUTES True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\AlternateServices.txt desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\blocklist-addons.json desired_access = FILE_READ_ATTRIBUTES True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\blocklist-addons.json desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\blocklist-gfx.json desired_access = FILE_READ_ATTRIBUTES True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\blocklist-gfx.json desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\blocklist-plugins.json desired_access = FILE_READ_ATTRIBUTES True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\blocklist-plugins.json desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\blocklist.xml desired_access = FILE_READ_ATTRIBUTES True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\blocklist.xml desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\bookmarkbackups\bookmarks-2017-05-24_14_kL0o5I+exwq3TXuLDkMF9w==.jsonlz4 desired_access = FILE_READ_ATTRIBUTES True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\bookmarkbackups\bookmarks-2017-05-24_14_kL0o5I+exwq3TXuLDkMF9w==.jsonlz4 desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\cert8.db desired_access = FILE_READ_ATTRIBUTES True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\cert8.db desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\compatibility.ini desired_access = FILE_READ_ATTRIBUTES True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\compatibility.ini desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\containers.json desired_access = FILE_READ_ATTRIBUTES True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\containers.json desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\content-prefs.sqlite desired_access = FILE_READ_ATTRIBUTES True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\content-prefs.sqlite desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\cookies.sqlite desired_access = FILE_READ_ATTRIBUTES True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\cookies.sqlite desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\crashes\store.json.mozlz4 desired_access = FILE_READ_ATTRIBUTES True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\crashes\store.json.mozlz4 desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\1495592260754.fe0bc3a3-866c-458a-ad46-a730981653d6.main.jsonlz4 desired_access = FILE_READ_ATTRIBUTES True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\1495592260754.fe0bc3a3-866c-458a-ad46-a730981653d6.main.jsonlz4 desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\1495592289365.f6bd7dec-4421-47ce-b829-1080689ec7ca.main.jsonlz4 desired_access = FILE_READ_ATTRIBUTES True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\1495592289365.f6bd7dec-4421-47ce-b829-1080689ec7ca.main.jsonlz4 desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\1495596278120.31e5ce24-c2bf-486b-b29e-534113b7c6dc.main.jsonlz4 desired_access = FILE_READ_ATTRIBUTES True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\1495596278120.31e5ce24-c2bf-486b-b29e-534113b7c6dc.main.jsonlz4 desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\1495597242414.2e462298-aeda-4ee5-bf23-a73bdf74947f.main.jsonlz4 desired_access = FILE_READ_ATTRIBUTES True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\1495597242414.2e462298-aeda-4ee5-bf23-a73bdf74947f.main.jsonlz4 desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Web Data desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 6
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 6
Fn
Create C:\Windows\wcx_ftp.ini desired_access = FILE_READ_ATTRIBUTES False 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Local\VirtualStore\Windows\wcx_ftp.ini desired_access = FILE_READ_ATTRIBUTES False 1
Fn
Create C:\Users\CIiHmnxMn6Ps\wcx_ftp.ini desired_access = FILE_READ_ATTRIBUTES False 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\GHISLER\wcx_ftp.ini desired_access = FILE_READ_ATTRIBUTES False 1
Fn
Create C:\ProgramData\GHISLER\wcx_ftp.ini desired_access = FILE_READ_ATTRIBUTES False 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Local\GHISLER\wcx_ftp.ini desired_access = FILE_READ_ATTRIBUTES False 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\FileZilla\sitemanager.xml desired_access = FILE_READ_ATTRIBUTES False 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\FileZilla\recentservers.xml desired_access = FILE_READ_ATTRIBUTES False 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\FileZilla\filezilla.xml desired_access = FILE_READ_ATTRIBUTES False 2
Fn
Create C:\ProgramData\FileZilla\sitemanager.xml desired_access = FILE_READ_ATTRIBUTES False 2
Fn
Create C:\ProgramData\FileZilla\recentservers.xml desired_access = FILE_READ_ATTRIBUTES False 2
Fn
Create C:\ProgramData\FileZilla\filezilla.xml desired_access = FILE_READ_ATTRIBUTES False 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Local\FileZilla\sitemanager.xml desired_access = FILE_READ_ATTRIBUTES False 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Local\FileZilla\recentservers.xml desired_access = FILE_READ_ATTRIBUTES False 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Local\FileZilla\filezilla.xml desired_access = FILE_READ_ATTRIBUTES False 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Web Data desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\8489XH4E.txt desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\8JC8NM7O.txt desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\OOUVZSZN.txt desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\TIGZFGLM.txt desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\VZZ1F97R.txt desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\XNW1G0SM.txt desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Z3FJF3OM.txt desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\0GHTMU6X.txt desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\0MDKR34W.txt desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\0Z1JIEVI.txt desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\16DOE15M.txt desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\16Y0X4V7.txt desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\1L3KU69N.txt desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\1LFQZEOH.txt desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\1LLUY7B7.txt desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\1UYN2RFY.txt desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\23JC2UTD.txt desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\2EQ4E2OJ.txt desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\2HYILE1O.txt desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\3RW4K76X.txt desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\3VVSZ2CO.txt desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\4MN240WN.txt desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\4O6583I0.txt desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\4YWCPPXN.txt desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\4Z6UDYLY.txt desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\5AFMRGRY.txt desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\5ARQYMIV.txt desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\5AV8L20N.txt desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\5NWXN3UI.txt desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\5STJ6NZL.txt desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\5TAY54V0.txt desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\5WQEGNKI.txt desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\66I0OJL8.txt desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\80J4IH0Y.txt desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\8FFCGS26.txt desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\9ABR37NL.txt desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\9IJPMFHZ.txt desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\9M7ZHW1Q.txt desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\9XACNSYG.txt desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\9Z1Y5ICI.txt desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\A0RK8A2H.txt desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\AA2IJ7JU.txt desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\B427TFXJ.txt desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\BK4HNAZ1.txt desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\CC7DS78R.txt desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\CDGOWO27.txt desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\CYHYO8JD.txt desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\D9QO3KHK.txt desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\DN8YUCVA.txt desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\DQI7WAG8.txt desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\DRDF2EZX.txt desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\E2KPI4ZI.txt desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\E978TFRK.txt desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\F68MFAMN.txt desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\FCGXHIFT.txt desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\FGTTES1V.txt desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\FLTMVY1F.txt desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\FOLSAQT6.txt desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\GXB342YS.txt desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\H5LCJX1B.txt desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\HBPP9XXY.txt desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\HF8F6LU0.txt desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\HTVL5WIW.txt desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\ILF13HLB.txt desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\ISTFXHHR.txt desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\ITD4OUAR.txt desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\J4JSQG9R.txt desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\JQOCYKOH.txt desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\JWFWLAYR.txt desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\K8249Y1G.txt desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\KNJ4AJDH.txt desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\L78EW25D.txt desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\LC10XEWL.txt desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\LVARU12Y.txt desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\LY1NFEKN.txt desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\LY3FDU65.txt desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\M19117WZ.txt desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\MA5WDFBR.txt desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\MBJX4MYA.txt desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\MCAKE788.txt desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\MIL4MU1S.txt desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\MM8KB9U2.txt desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\MMPF10F4.txt desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\MOE7DCQU.txt desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\NEHE4KDB.txt desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\NOCAHPZ6.txt desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\NYCCG1AV.txt desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\O8FFFI2K.txt desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\P778SMC9.txt desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\PF9HBAFQ.txt desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\PK3I34UV.txt desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\QUMCK8L4.txt desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\RAYRHE6Z.txt desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\RQK5QF4L.txt desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\RTEPN67M.txt desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\RYK7X1K4.txt desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\S0EK69P5.txt desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\SEVCUJM3.txt desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\STGOZ493.txt desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\T1LCPPSA.txt desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\TCXQPY9L.txt desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\TEW946CI.txt desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\TFCJHLEI.txt desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\U2OYIS47.txt desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\U8FCPAKJ.txt desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\UBUPNOZC.txt desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\UBXQG39X.txt desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\UGL14QS0.txt desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\UUEVXDWP.txt desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\V7NNCJHO.txt desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\VD3GM2DA.txt desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\WPEXKTDV.txt desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\WUT8M1Q8.txt desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\WX75TEOR.txt desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\XRS5D0N2.txt desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\XUAUK5R0.txt desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\Y1I415YS.txt desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\Y3XU5OKR.txt desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\1ZJA02JO.txt desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\268TPJIA.txt desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\6KWA3R8C.txt desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\85DGK2J5.txt desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\FPNDV7T3.txt desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\J9KFLZDX.txt desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\JN00AKV9.txt desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\OR8K8VRM.txt desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\TK0LXHBL.txt desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\VC62GJSF.txt desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\VSMDVD55.txt desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!002\MicrosoftEdge\Cookies\51TU1403.txt desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!002\MicrosoftEdge\Cookies\5GJKP08H.txt desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!002\MicrosoftEdge\Cookies\6NQ9V8CD.txt desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!002\MicrosoftEdge\Cookies\JZ1UUUP9.txt desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!002\MicrosoftEdge\Cookies\KW0ULAFV.txt desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!002\MicrosoftEdge\Cookies\SW6Z4AI1.txt desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!002\MicrosoftEdge\Cookies\TU6XBKFE.txt desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!002\MicrosoftEdge\Cookies\U9PT9V3Q.txt desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sol desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\cabB5AC.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\cabB5AD.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\flaB587.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\cabB5BE.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\cabB5BF.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\cabB5C0.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 5
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 5
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\flaB587.tmp desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 2
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 2
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\sofB65D.tmp desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\sofB65D.tmp desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 18
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 18
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 9
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 9
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.tmp desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 9
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 9
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.tmp desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\cabB597.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\, prefix = cab True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\cabB598.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\, prefix = cab True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\cabB599.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\, prefix = cab True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\cabB59A.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\, prefix = cab True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\cabB59B.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\, prefix = cab True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\cabB5AC.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\, prefix = cab True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\cabB5AD.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\, prefix = cab True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\cabB5BE.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\, prefix = cab True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\cabB5BF.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\, prefix = cab True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\cabB5C0.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\, prefix = cab True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\sofB65D.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\, prefix = softlist True 1
Fn
Create Pipe \device\namedpipe\e7cb4c13c5ff510208fe9abc26bb5b59 open_mode = PIPE_ACCESS_INBOUND, PIPE_ACCESS_OUTBOUND, FILE_FLAG_OVERLAPPED, max_instances = 255 True 1
Fn
Get Info C:\Users type = file_attributes True 110
Fn
Get Info C:\Users\CIiHmnxMn6Ps type = file_attributes True 110
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData type = file_attributes True 110
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming type = file_attributes True 110
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia type = file_attributes True 110
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player type = file_attributes True 110
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com type = file_attributes True 110
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support type = file_attributes True 110
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer type = file_attributes True 110
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys type = file_attributes True 110
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix type = size, size_out = 3076 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix type = size, size_out = 3643 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.tmp type = file_attributes False 3
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix type = file_attributes True 3
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix type = size, size_out = 3925 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix type = size, size_out = 3925 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix type = size, size_out = 0 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix type = size, size_out = 274 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix type = size, size_out = 547 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\containers.exe type = size, size_out = 303104 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix type = size, size_out = 1367 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix type = size, size_out = 1648 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix type = size, size_out = 1911 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix type = size, size_out = 2125 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix type = size, size_out = 2405 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix type = size, size_out = 2672 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix type = size, size_out = 2953 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix type = size, size_out = 3216 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix type = size, size_out = 3441 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix type = size, size_out = 3720 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.tmp type = size, size_out = 4197 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix type = size, size_out = 3979 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix type = size, size_out = 4252 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix type = size, size_out = 4488 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix type = size, size_out = 4634 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix type = size, size_out = 4773 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix type = size, size_out = 4908 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\ type = file_attributes True 3
Fn
Get Info C:\Program Files (x86)\Mozilla Firefox type = file_attributes True 3
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\addons.json type = size True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\AlternateServices.txt type = size True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\blocklist-addons.json type = size True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\blocklist-gfx.json type = size True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\blocklist-plugins.json type = size True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\blocklist.xml type = size True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\bookmarkbackups\bookmarks-2017-05-24_14_kL0o5I+exwq3TXuLDkMF9w==.jsonlz4 type = size True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\cert8.db type = size True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\compatibility.ini type = size True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\containers.json type = size True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\content-prefs.sqlite type = size True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\cookies.sqlite type = size True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\crashes\store.json.mozlz4 type = size True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\1495592260754.fe0bc3a3-866c-458a-ad46-a730981653d6.main.jsonlz4 type = size True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\1495592289365.f6bd7dec-4421-47ce-b829-1080689ec7ca.main.jsonlz4 type = size True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\1495596278120.31e5ce24-c2bf-486b-b29e-534113b7c6dc.main.jsonlz4 type = size True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\1495597242414.2e462298-aeda-4ee5-bf23-a73bdf74947f.main.jsonlz4 type = size True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\1495597261897.a7b36bf3-f762-448c-874e-9388e91739b4.main.jsonlz4 type = size True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\1495599783008.23c86977-85eb-412a-ae39-c4c6ea9a5744.main.jsonlz4 type = size True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\1495600032629.d896fec9-1a7a-4db1-a3a2-e46d95b631a5.main.jsonlz4 type = size True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\session-state.json type = size True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\state.json type = size True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\extensions.ini type = size True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\extensions.json type = size True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\formhistory.sqlite type = size True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-gmpopenh264\1.6\gmpopenh264.dll type = size True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-gmpopenh264\1.6\gmpopenh264.info type = size True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-widevinecdm\1.4.8.903\LICENSE.txt type = size True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-widevinecdm\1.4.8.903\manifest.json type = size True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-widevinecdm\1.4.8.903\widevinecdm.dll type = size True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-widevinecdm\1.4.8.903\widevinecdm.dll.lib type = size True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\key3.db type = size True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\kinto.sqlite type = size True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\mimeTypes.rdf type = size True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\parent.lock type = size True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\permissions.sqlite type = size True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\places.sqlite type = size True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\pluginreg.dat type = size True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\prefs.js type = size True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\revocations.txt type = size True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\saved-telemetry-pings\d896fec9-1a7a-4db1-a3a2-e46d95b631a5 type = size True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\search.json.mozlz4 type = size True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\secmod.db type = size True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\SecurityPreloadState.txt type = size True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\sessionCheckpoints.json type = size True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\sessionstore-backups\previous.js type = size True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\sessionstore-backups\upgrade.js-20170518000419 type = size True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\sessionstore.js type = size True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\SiteSecurityServiceState.txt type = size True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\chrome\.metadata type = size True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\chrome\.metadata-v2 type = size True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\chrome\idb\2918063365piupsah.sqlite type = size True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\moz-safe-about+home\.metadata type = size True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\moz-safe-about+home\.metadata-v2 type = size True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\moz-safe-about+home\idb\818200132aebmoouht.files\1 type = size True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\moz-safe-about+home\idb\818200132aebmoouht.sqlite type = size True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage.sqlite type = size True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\times.json type = size True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\webappsstore.sqlite type = size True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\xulstore.json type = size True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Crash Reports\InstallTime20170518000419 type = size True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\addons.json type = size True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\AlternateServices.txt type = size True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\blocklist-addons.json type = size True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\blocklist-gfx.json type = size True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\blocklist-plugins.json type = size True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\blocklist.xml type = size True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\bookmarkbackups\bookmarks-2017-05-24_14_kL0o5I+exwq3TXuLDkMF9w==.jsonlz4 type = size True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\cert8.db type = size True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\compatibility.ini type = size True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\containers.json type = size True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\content-prefs.sqlite type = size True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\cookies.sqlite type = size True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\crashes\store.json.mozlz4 type = size True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\1495592260754.fe0bc3a3-866c-458a-ad46-a730981653d6.main.jsonlz4 type = size True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\1495592289365.f6bd7dec-4421-47ce-b829-1080689ec7ca.main.jsonlz4 type = size True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\1495596278120.31e5ce24-c2bf-486b-b29e-534113b7c6dc.main.jsonlz4 type = size True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\1495597242414.2e462298-aeda-4ee5-bf23-a73bdf74947f.main.jsonlz4 type = size True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\1495597261897.a7b36bf3-f762-448c-874e-9388e91739b4.main.jsonlz4 type = size True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\1495599783008.23c86977-85eb-412a-ae39-c4c6ea9a5744.main.jsonlz4 type = size True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\1495600032629.d896fec9-1a7a-4db1-a3a2-e46d95b631a5.main.jsonlz4 type = size True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\session-state.json type = size True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\state.json type = size True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\extensions.ini type = size True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\extensions.json type = size True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\formhistory.sqlite type = size True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-gmpopenh264\1.6\gmpopenh264.dll type = size True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-gmpopenh264\1.6\gmpopenh264.info type = size True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-widevinecdm\1.4.8.903\LICENSE.txt type = size True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-widevinecdm\1.4.8.903\manifest.json type = size True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-widevinecdm\1.4.8.903\widevinecdm.dll type = size True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-widevinecdm\1.4.8.903\widevinecdm.dll.lib type = size True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\key3.db type = size True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\kinto.sqlite type = size True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\mimeTypes.rdf type = size True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\parent.lock type = size True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\permissions.sqlite type = size True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\places.sqlite type = size True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\pluginreg.dat type = size True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\prefs.js type = size True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\revocations.txt type = size True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\saved-telemetry-pings\d896fec9-1a7a-4db1-a3a2-e46d95b631a5 type = size True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\search.json.mozlz4 type = size True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\secmod.db type = size True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\SecurityPreloadState.txt type = size True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\sessionCheckpoints.json type = size True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\sessionstore-backups\previous.js type = size True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\sessionstore-backups\upgrade.js-20170518000419 type = size True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\sessionstore.js type = size True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\SiteSecurityServiceState.txt type = size True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\chrome\.metadata type = size True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\chrome\.metadata-v2 type = size True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\chrome\idb\2918063365piupsah.sqlite type = size True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\moz-safe-about+home\.metadata type = size True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\moz-safe-about+home\.metadata-v2 type = size True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\moz-safe-about+home\idb\818200132aebmoouht.files\1 type = size True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\moz-safe-about+home\idb\818200132aebmoouht.sqlite type = size True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage.sqlite type = size True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\times.json type = size True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\webappsstore.sqlite type = size True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\xulstore.json type = size True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\\profiles.ini type = size True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\addons.json type = size True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\AlternateServices.txt type = size True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\blocklist-addons.json type = size True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\blocklist-gfx.json type = size True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\blocklist-plugins.json type = size True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\blocklist.xml type = size True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\bookmarkbackups\bookmarks-2017-05-24_14_kL0o5I+exwq3TXuLDkMF9w==.jsonlz4 type = size True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\cert8.db type = size True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\compatibility.ini type = size True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\containers.json type = size True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\content-prefs.sqlite type = size True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\cookies.sqlite type = size True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\crashes\store.json.mozlz4 type = size True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\1495592260754.fe0bc3a3-866c-458a-ad46-a730981653d6.main.jsonlz4 type = size True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\1495592289365.f6bd7dec-4421-47ce-b829-1080689ec7ca.main.jsonlz4 type = size True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\1495596278120.31e5ce24-c2bf-486b-b29e-534113b7c6dc.main.jsonlz4 type = size True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\1495597242414.2e462298-aeda-4ee5-bf23-a73bdf74947f.main.jsonlz4 type = size True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\1495597261897.a7b36bf3-f762-448c-874e-9388e91739b4.main.jsonlz4 type = size True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\1495599783008.23c86977-85eb-412a-ae39-c4c6ea9a5744.main.jsonlz4 type = size True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\1495600032629.d896fec9-1a7a-4db1-a3a2-e46d95b631a5.main.jsonlz4 type = size True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\session-state.json type = size True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\state.json type = size True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\extensions.ini type = size True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\extensions.json type = size True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\formhistory.sqlite type = size True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-gmpopenh264\1.6\gmpopenh264.dll type = size True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-gmpopenh264\1.6\gmpopenh264.info type = size True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-widevinecdm\1.4.8.903\LICENSE.txt type = size True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-widevinecdm\1.4.8.903\manifest.json type = size True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-widevinecdm\1.4.8.903\widevinecdm.dll type = size True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-widevinecdm\1.4.8.903\widevinecdm.dll.lib type = size True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\key3.db type = size True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\kinto.sqlite type = size True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\mimeTypes.rdf type = size True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\parent.lock type = size True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\permissions.sqlite type = size True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\places.sqlite type = size True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\pluginreg.dat type = size True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\prefs.js type = size True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\revocations.txt type = size True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\saved-telemetry-pings\d896fec9-1a7a-4db1-a3a2-e46d95b631a5 type = size True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\search.json.mozlz4 type = size True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\secmod.db type = size True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\SecurityPreloadState.txt type = size True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\sessionCheckpoints.json type = size True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\sessionstore-backups\previous.js type = size True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\sessionstore-backups\upgrade.js-20170518000419 type = size True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\sessionstore.js type = size True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\SiteSecurityServiceState.txt type = size True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\chrome\.metadata type = size True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\chrome\.metadata-v2 type = size True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\chrome\idb\2918063365piupsah.sqlite type = size True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\moz-safe-about+home\.metadata type = size True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\moz-safe-about+home\.metadata-v2 type = size True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\moz-safe-about+home\idb\818200132aebmoouht.files\1 type = size True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\moz-safe-about+home\idb\818200132aebmoouht.sqlite type = size True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage.sqlite type = size True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\times.json type = size True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\webappsstore.sqlite type = size True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\xulstore.json type = size True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Crash Reports\InstallTime20170518000419 type = size True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\addons.json type = size True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\AlternateServices.txt type = size True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\blocklist-addons.json type = size True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\blocklist-gfx.json type = size True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\blocklist-plugins.json type = size True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\blocklist.xml type = size True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\bookmarkbackups\bookmarks-2017-05-24_14_kL0o5I+exwq3TXuLDkMF9w==.jsonlz4 type = size True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\cert8.db type = size True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\compatibility.ini type = size True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\containers.json type = size True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\content-prefs.sqlite type = size True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\cookies.sqlite type = size True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\crashes\store.json.mozlz4 type = size True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\1495592260754.fe0bc3a3-866c-458a-ad46-a730981653d6.main.jsonlz4 type = size True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\1495592289365.f6bd7dec-4421-47ce-b829-1080689ec7ca.main.jsonlz4 type = size True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\1495596278120.31e5ce24-c2bf-486b-b29e-534113b7c6dc.main.jsonlz4 type = size True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\1495597242414.2e462298-aeda-4ee5-bf23-a73bdf74947f.main.jsonlz4 type = size True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix type = size, size_out = 5052 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix type = size, size_out = 5192 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Web Data type = size True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix type = size, size_out = 5898 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix type = size, size_out = 6038 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix type = size, size_out = 6190 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix type = size, size_out = 6338 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix type = size, size_out = 6486 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix type = size, size_out = 6630 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Web Data type = size True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\8489XH4E.txt type = size, size_out = 105 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\8JC8NM7O.txt type = size, size_out = 201 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\OOUVZSZN.txt type = size, size_out = 161 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\TIGZFGLM.txt type = size, size_out = 122 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\VZZ1F97R.txt type = size, size_out = 353 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\XNW1G0SM.txt type = size, size_out = 117 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Z3FJF3OM.txt type = size, size_out = 99 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\0GHTMU6X.txt type = size, size_out = 107 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\0MDKR34W.txt type = size, size_out = 161 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\0Z1JIEVI.txt type = size, size_out = 223 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\16DOE15M.txt type = size, size_out = 93 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\16Y0X4V7.txt type = size, size_out = 414 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\1L3KU69N.txt type = size, size_out = 111 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\1LFQZEOH.txt type = size, size_out = 111 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\1LLUY7B7.txt type = size, size_out = 119 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\1UYN2RFY.txt type = size, size_out = 274 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\23JC2UTD.txt type = size, size_out = 92 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\2EQ4E2OJ.txt type = size, size_out = 169 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\2HYILE1O.txt type = size, size_out = 761 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\3RW4K76X.txt type = size, size_out = 81 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\3VVSZ2CO.txt type = size, size_out = 129 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\4MN240WN.txt type = size, size_out = 162 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\4O6583I0.txt type = size, size_out = 566 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\4YWCPPXN.txt type = size, size_out = 499 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\4Z6UDYLY.txt type = size, size_out = 90 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\5AFMRGRY.txt type = size, size_out = 200 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\5ARQYMIV.txt type = size, size_out = 809 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\5AV8L20N.txt type = size, size_out = 340 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\5NWXN3UI.txt type = size, size_out = 103 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\5STJ6NZL.txt type = size, size_out = 732 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\5TAY54V0.txt type = size, size_out = 170 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\5WQEGNKI.txt type = size, size_out = 191 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\66I0OJL8.txt type = size, size_out = 97 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\80J4IH0Y.txt type = size, size_out = 92 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\8FFCGS26.txt type = size, size_out = 833 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\9ABR37NL.txt type = size, size_out = 234 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\9IJPMFHZ.txt type = size, size_out = 363 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\9M7ZHW1Q.txt type = size, size_out = 503 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\9XACNSYG.txt type = size, size_out = 666 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\9Z1Y5ICI.txt type = size, size_out = 114 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\A0RK8A2H.txt type = size, size_out = 128 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\AA2IJ7JU.txt type = size, size_out = 289 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\B427TFXJ.txt type = size, size_out = 512 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\BK4HNAZ1.txt type = size, size_out = 206 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\CC7DS78R.txt type = size, size_out = 79 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\CDGOWO27.txt type = size, size_out = 140 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\CYHYO8JD.txt type = size, size_out = 110 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\D9QO3KHK.txt type = size, size_out = 264 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\DN8YUCVA.txt type = size, size_out = 1377 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\DQI7WAG8.txt type = size, size_out = 90 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\DRDF2EZX.txt type = size, size_out = 93 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\E2KPI4ZI.txt type = size, size_out = 105 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\E978TFRK.txt type = size, size_out = 153 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\F68MFAMN.txt type = size, size_out = 104 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\FCGXHIFT.txt type = size, size_out = 303 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\FGTTES1V.txt type = size, size_out = 89 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\FLTMVY1F.txt type = size, size_out = 540 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\FOLSAQT6.txt type = size, size_out = 181 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\GXB342YS.txt type = size, size_out = 318 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\H5LCJX1B.txt type = size, size_out = 596 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\HBPP9XXY.txt type = size, size_out = 586 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\HF8F6LU0.txt type = size, size_out = 287 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\HTVL5WIW.txt type = size, size_out = 112 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\ILF13HLB.txt type = size, size_out = 272 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\ISTFXHHR.txt type = size, size_out = 330 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\ITD4OUAR.txt type = size, size_out = 187 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\J4JSQG9R.txt type = size, size_out = 712 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\JQOCYKOH.txt type = size, size_out = 1012 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\JWFWLAYR.txt type = size, size_out = 179 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\K8249Y1G.txt type = size, size_out = 235 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\KNJ4AJDH.txt type = size, size_out = 515 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\L78EW25D.txt type = size, size_out = 111 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\LC10XEWL.txt type = size, size_out = 331 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\LVARU12Y.txt type = size, size_out = 261 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\LY1NFEKN.txt type = size, size_out = 403 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\LY3FDU65.txt type = size, size_out = 311 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\M19117WZ.txt type = size, size_out = 289 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\MA5WDFBR.txt type = size, size_out = 88 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\MBJX4MYA.txt type = size, size_out = 202 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\MCAKE788.txt type = size, size_out = 102 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\MIL4MU1S.txt type = size, size_out = 163 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\MM8KB9U2.txt type = size, size_out = 434 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\MMPF10F4.txt type = size, size_out = 260 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\MOE7DCQU.txt type = size, size_out = 118 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\NEHE4KDB.txt type = size, size_out = 114 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\NOCAHPZ6.txt type = size, size_out = 137 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\NYCCG1AV.txt type = size, size_out = 1600 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\O8FFFI2K.txt type = size, size_out = 110 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\P778SMC9.txt type = size, size_out = 87 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\PF9HBAFQ.txt type = size, size_out = 171 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\PK3I34UV.txt type = size, size_out = 223 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\QUMCK8L4.txt type = size, size_out = 86 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\RAYRHE6Z.txt type = size, size_out = 505 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\RQK5QF4L.txt type = size, size_out = 391 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\RTEPN67M.txt type = size, size_out = 237 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\RYK7X1K4.txt type = size, size_out = 113 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\S0EK69P5.txt type = size, size_out = 123 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\SEVCUJM3.txt type = size, size_out = 88 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\STGOZ493.txt type = size, size_out = 107 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\T1LCPPSA.txt type = size, size_out = 80 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\TCXQPY9L.txt type = size, size_out = 108 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\TEW946CI.txt type = size, size_out = 145 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\TFCJHLEI.txt type = size, size_out = 218 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\U2OYIS47.txt type = size, size_out = 111 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\U8FCPAKJ.txt type = size, size_out = 111 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\UBUPNOZC.txt type = size, size_out = 84 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\UBXQG39X.txt type = size, size_out = 105 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\UGL14QS0.txt type = size, size_out = 130 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\UUEVXDWP.txt type = size, size_out = 555 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\V7NNCJHO.txt type = size, size_out = 144 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\VD3GM2DA.txt type = size, size_out = 174 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\WPEXKTDV.txt type = size, size_out = 380 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\WUT8M1Q8.txt type = size, size_out = 362 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\WX75TEOR.txt type = size, size_out = 282 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\XRS5D0N2.txt type = size, size_out = 275 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\XUAUK5R0.txt type = size, size_out = 94 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\Y1I415YS.txt type = size, size_out = 93 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\Y3XU5OKR.txt type = size, size_out = 90 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix type = size, size_out = 9071 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix type = size, size_out = 9212 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\1ZJA02JO.txt type = size, size_out = 111 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\268TPJIA.txt type = size, size_out = 620 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\6KWA3R8C.txt type = size, size_out = 77 True 1
Fn
For performance reasons, the remaining 447 entries are omitted.
The remaining entries can be found in glog.xml.
Registry (1236)
+
Operation Key Additional Information Success Count Logfile
Create Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi - True 1
Fn
Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows\Currentversion\Run - True 1
Fn
Create Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi - True 1
Fn
Create Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi - True 1
Fn
Create Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi - True 8
Fn
Create Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi - True 2
Fn
Create Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi - True 2
Fn
Open Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi - True 1
Fn
Open Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi - True 2
Fn
Open Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi - True 3
Fn
Open Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi - True 2
Fn
Open Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi - True 1
Fn
Open Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi - True 1
Fn
Open Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi - True 1
Fn
Open Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms\Storage2 - False 462
Fn
Open Key HKEY_CURRENT_USER\Software\Mozilla - True 3
Fn
Open Key HKEY_CURRENT_USER\Software\Mozilla\Firefox - True 4
Fn
Open Key HKEY_CURRENT_USER\Software\Mozilla\Firefox\TaskBarIDs - True 4
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Mozilla - True 3
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox - True 3
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox - False 2
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\TaskBarIDs - True 3
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\TaskBarIDs - False 2
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox - True 3
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox - False 2
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox\53.0.3 (x86 en-GB) - True 3
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox\53.0.3 (x86 en-GB) - False 2
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox\53.0.3 (x86 en-GB)\Main - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox\53.0.3 (x86 en-GB)\Main - True 4
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox\53.0.3 (x86 en-GB)\Uninstall - True 7
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox\53.0.3 (x86 en-GB)\Uninstall - False 2
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox 53.0.3 - True 3
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox 53.0.3 - False 2
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox 53.0.3\bin - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox 53.0.3\extensions - True 3
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox 53.0.3\extensions - False 2
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts - False 1
Fn
Open Key HKEY_CURRENT_USER\Identities - True 1
Fn
Open Key HKEY_CURRENT_USER\Identities\{CA8CA1BB-F2A6-4E9C-B7CC-FB56671763E8}\Software\Microsoft\Internet Account Manager\Accounts - False 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts - False 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings - False 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook - False 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook - False 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\03fea8ae12202041b643a9691e5b323c - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046 - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604 - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831 - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046 - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2 - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9907df9e4a472f499f281fc91ee2bca1 - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\b4c13fbaf5f22f44b93e8bdd93521484 - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\dc184acfc7e1614eb31843d1abdfd43e - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001 - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Mozilla\Firefox - True 5
Fn
Open Key HKEY_CURRENT_USER\Software\Mozilla\Firefox\TaskBarIDs - True 5
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox - True 4
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\TaskBarIDs - True 4
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox - True 4
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox\53.0.3 (x86 en-GB) - True 4
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox 53.0.3 - True 4
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox 53.0.3\bin - True 3
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox 53.0.3\extensions - True 4
Fn
Open Key HKEY_CURRENT_USER\Software\Martin Prikryl - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Martin Prikryl - False 1
Fn
Open Key HKEY_CURRENT_USER\Software\Ghisler\Windows Commander - False 24
Fn
Open Key HKEY_CURRENT_USER\Software\Ghisler\Total Commander - False 24
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Ghisler\Windows Commander - False 24
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Ghisler\Total Commander - False 24
Fn
Open Key HKEY_CURRENT_USER\Software\FileZilla - False 4
Fn
Open Key HKEY_CURRENT_USER\Software\FileZilla Client - False 3
Fn
Open Key HKEY_LOCAL_MACHINE\Software\FileZilla - False 3
Fn
Open Key HKEY_LOCAL_MACHINE\Software\FileZilla Client - False 3
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms\FormData - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook - True 3
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager - True 3
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx - True 3
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime - True 3
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore - True 3
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40 - True 3
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data - True 3
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX - True 3
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData - True 3
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack - True 3
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 53.0.3 (x86 en-GB) - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2 - True 3
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent - True 3
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC - True 3
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E} - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757 - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757 - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173 - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173 - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860 - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860 - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655 - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655 - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743 - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743 - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063 - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063 - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573 - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573 - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f} - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3c3aafc8-d898-43ec-998f-965ffdae065a} - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3D82C954-2957-418B-908F-FE78BF3A8BEB} - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10} - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10} - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2} - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{74d0e5db-b326-4dae-a6b2-445b9de1836e} - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9BE518E6-ECC6-35A9-88E4-87755C07200F} - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A2563E55-3BEC-3828-8D67-E5E8B9E8B675} - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-0804-1033-1959-001824245926} - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-1033-7B44-AC0F074E4100} - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{B175520C-86A2-35A7-8619-86DC379688B9} - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB} - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{BE960C1C-7BAD-3DE6-8B1A-2616FE532845} - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6} - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{e52a6842-b0ac-476e-b48f-378a97a67346} - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{e6e75766-da0f-4ba2-9788-6ea593ce702d} - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5} - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2151757 - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2151757 - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2467173 - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2467173 - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2524860 - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2524860 - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2544655 - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2544655 - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2549743 - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2549743 - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2565063 - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2565063 - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB982573 - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB982573 - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185} - True 2
Fn
Open Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi - True 1
Fn
Open Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi - True 8
Fn
Open Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi - True 2
Fn
Open Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi - True 1
Fn
Open Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi - True 1
Fn
Open Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi - True 2
Fn
Open Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi - True 1
Fn
Read Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi value_name = Axoha, type = REG_BINARY True 2
Fn
Data
Read Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi value_name = Uzapze, type = REG_BINARY True 2
Fn
Data
Read Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi value_name = Axoha, type = REG_BINARY True 2
Fn
Data
Read Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi value_name = Axoha, type = REG_BINARY True 4
Fn
Data
Read Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi value_name = Uzapze, type = REG_BINARY True 2
Fn
Data
Read Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi value_name = Axoha, type = REG_BINARY True 4
Fn
Data
Read Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi value_name = Axoha, type = REG_BINARY True 2
Fn
Data
Read Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi value_name = Uzapze, type = REG_BINARY True 1
Fn
Read Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi value_name = Akudfeen, type = REG_BINARY True 1
Fn
Read Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi value_name = Uzapze, type = REG_BINARY True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Mozilla\Firefox value_name = PathToExe, type = REG_NONE False 3
Fn
Read Value HKEY_CURRENT_USER\Software\Mozilla\Firefox\TaskBarIDs value_name = PathToExe, type = REG_NONE False 3
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox value_name = PathToExe, type = REG_NONE False 2
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\TaskBarIDs value_name = PathToExe, type = REG_NONE False 2
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox value_name = PathToExe, type = REG_NONE False 2
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox\53.0.3 (x86 en-GB) value_name = PathToExe, type = REG_NONE False 2
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox\53.0.3 (x86 en-GB)\Main value_name = PathToExe, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox\53.0.3 (x86 en-GB)\Main value_name = PathToExe, data = 67 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox\53.0.3 (x86 en-GB)\Uninstall value_name = PathToExe, type = REG_NONE False 4
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox 53.0.3 value_name = PathToExe, type = REG_NONE False 2
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox 53.0.3\bin value_name = PathToExe, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox 53.0.3\extensions value_name = PathToExe, type = REG_NONE False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Mozilla\Firefox value_name = PathToExe, type = REG_NONE False 3
Fn
Read Value HKEY_CURRENT_USER\Software\Mozilla\Firefox\TaskBarIDs value_name = PathToExe, type = REG_NONE False 3
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox value_name = PathToExe, type = REG_NONE False 2
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\TaskBarIDs value_name = PathToExe, type = REG_NONE False 2
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox value_name = PathToExe, type = REG_NONE False 2
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox\53.0.3 (x86 en-GB) value_name = PathToExe, type = REG_NONE False 2
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox\53.0.3 (x86 en-GB)\Main value_name = PathToExe, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox\53.0.3 (x86 en-GB)\Main value_name = PathToExe, data = 67 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox 53.0.3 value_name = PathToExe, type = REG_NONE False 2
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox 53.0.3\bin value_name = PathToExe, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox 53.0.3\extensions value_name = PathToExe, type = REG_NONE False 2
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook value_name = UninstallString, type = REG_NONE False 3
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager value_name = UninstallString, type = REG_NONE False 3
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx value_name = UninstallString, type = REG_NONE False 3
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime value_name = UninstallString, type = REG_NONE False 3
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore value_name = UninstallString, type = REG_NONE False 3
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome value_name = UninstallString, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome value_name = UninstallString, data = 34 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome value_name = DisplayName, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome value_name = DisplayName, data = 71 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40 value_name = UninstallString, type = REG_NONE False 3
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data value_name = UninstallString, type = REG_NONE False 3
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX value_name = UninstallString, type = REG_NONE False 3
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData value_name = UninstallString, type = REG_NONE False 3
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack value_name = UninstallString, type = REG_NONE False 3
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 53.0.3 (x86 en-GB) value_name = UninstallString, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 53.0.3 (x86 en-GB) value_name = UninstallString, data = 34 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 53.0.3 (x86 en-GB) value_name = DisplayName, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 53.0.3 (x86 en-GB) value_name = DisplayName, data = 77 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2 value_name = UninstallString, type = REG_NONE False 3
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent value_name = UninstallString, type = REG_NONE False 3
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC value_name = UninstallString, type = REG_NONE False 3
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E} value_name = UninstallString, data = 0, type = REG_EXPAND_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E} value_name = UninstallString, data = 77 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E} value_name = DisplayName, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E} value_name = DisplayName, data = 77 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757 value_name = UninstallString, type = REG_NONE False 2
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173 value_name = UninstallString, type = REG_NONE False 2
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860 value_name = UninstallString, type = REG_NONE False 2
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655 value_name = UninstallString, type = REG_NONE False 2
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743 value_name = UninstallString, type = REG_NONE False 2
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063 value_name = UninstallString, type = REG_NONE False 2
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573 value_name = UninstallString, type = REG_NONE False 2
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f} value_name = UninstallString, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f} value_name = UninstallString, data = 34 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f} value_name = DisplayName, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f} value_name = DisplayName, data = 77 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3c3aafc8-d898-43ec-998f-965ffdae065a} value_name = UninstallString, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3c3aafc8-d898-43ec-998f-965ffdae065a} value_name = UninstallString, data = 34 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3c3aafc8-d898-43ec-998f-965ffdae065a} value_name = DisplayName, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3c3aafc8-d898-43ec-998f-965ffdae065a} value_name = DisplayName, data = 77 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3D82C954-2957-418B-908F-FE78BF3A8BEB} value_name = UninstallString, data = 0, type = REG_EXPAND_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3D82C954-2957-418B-908F-FE78BF3A8BEB} value_name = UninstallString, data = 77 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3D82C954-2957-418B-908F-FE78BF3A8BEB} value_name = DisplayName, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3D82C954-2957-418B-908F-FE78BF3A8BEB} value_name = DisplayName, data = 65 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10} value_name = UninstallString, type = REG_NONE False 2
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2} value_name = UninstallString, data = 0, type = REG_EXPAND_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2} value_name = UninstallString, data = 77 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2} value_name = DisplayName, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2} value_name = DisplayName, data = 77 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{74d0e5db-b326-4dae-a6b2-445b9de1836e} value_name = UninstallString, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{74d0e5db-b326-4dae-a6b2-445b9de1836e} value_name = UninstallString, data = 34 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{74d0e5db-b326-4dae-a6b2-445b9de1836e} value_name = DisplayName, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{74d0e5db-b326-4dae-a6b2-445b9de1836e} value_name = DisplayName, data = 77 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9BE518E6-ECC6-35A9-88E4-87755C07200F} value_name = UninstallString, data = 0, type = REG_EXPAND_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9BE518E6-ECC6-35A9-88E4-87755C07200F} value_name = UninstallString, data = 77 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9BE518E6-ECC6-35A9-88E4-87755C07200F} value_name = DisplayName, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9BE518E6-ECC6-35A9-88E4-87755C07200F} value_name = DisplayName, data = 77 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A2563E55-3BEC-3828-8D67-E5E8B9E8B675} value_name = UninstallString, data = 0, type = REG_EXPAND_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A2563E55-3BEC-3828-8D67-E5E8B9E8B675} value_name = UninstallString, data = 77 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A2563E55-3BEC-3828-8D67-E5E8B9E8B675} value_name = DisplayName, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A2563E55-3BEC-3828-8D67-E5E8B9E8B675} value_name = DisplayName, data = 77 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-0804-1033-1959-001824245926} value_name = UninstallString, data = 0, type = REG_EXPAND_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-0804-1033-1959-001824245926} value_name = UninstallString, data = 77 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-0804-1033-1959-001824245926} value_name = DisplayName, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-0804-1033-1959-001824245926} value_name = DisplayName, data = 65 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-1033-7B44-AC0F074E4100} value_name = UninstallString, data = 0, type = REG_EXPAND_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-1033-7B44-AC0F074E4100} value_name = UninstallString, data = 77 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-1033-7B44-AC0F074E4100} value_name = DisplayName, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-1033-7B44-AC0F074E4100} value_name = DisplayName, data = 65 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{B175520C-86A2-35A7-8619-86DC379688B9} value_name = UninstallString, data = 0, type = REG_EXPAND_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{B175520C-86A2-35A7-8619-86DC379688B9} value_name = UninstallString, data = 77 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{B175520C-86A2-35A7-8619-86DC379688B9} value_name = DisplayName, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{B175520C-86A2-35A7-8619-86DC379688B9} value_name = DisplayName, data = 77 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB} value_name = UninstallString, data = 0, type = REG_EXPAND_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB} value_name = UninstallString, data = 77 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB} value_name = DisplayName, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB} value_name = DisplayName, data = 77 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{BE960C1C-7BAD-3DE6-8B1A-2616FE532845} value_name = UninstallString, data = 0, type = REG_EXPAND_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{BE960C1C-7BAD-3DE6-8B1A-2616FE532845} value_name = UninstallString, data = 77 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{BE960C1C-7BAD-3DE6-8B1A-2616FE532845} value_name = DisplayName, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{BE960C1C-7BAD-3DE6-8B1A-2616FE532845} value_name = DisplayName, data = 77 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6} value_name = UninstallString, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6} value_name = UninstallString, data = 34 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6} value_name = DisplayName, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6} value_name = DisplayName, data = 77 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{e52a6842-b0ac-476e-b48f-378a97a67346} value_name = UninstallString, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{e52a6842-b0ac-476e-b48f-378a97a67346} value_name = UninstallString, data = 34 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{e52a6842-b0ac-476e-b48f-378a97a67346} value_name = DisplayName, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{e52a6842-b0ac-476e-b48f-378a97a67346} value_name = DisplayName, data = 77 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{e6e75766-da0f-4ba2-9788-6ea593ce702d} value_name = UninstallString, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{e6e75766-da0f-4ba2-9788-6ea593ce702d} value_name = UninstallString, data = 34 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{e6e75766-da0f-4ba2-9788-6ea593ce702d} value_name = DisplayName, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{e6e75766-da0f-4ba2-9788-6ea593ce702d} value_name = DisplayName, data = 77 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5} value_name = UninstallString, data = 0, type = REG_EXPAND_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5} value_name = UninstallString, data = 77 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5} value_name = DisplayName, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5} value_name = DisplayName, data = 77 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2151757 value_name = UninstallString, type = REG_NONE False 2
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2467173 value_name = UninstallString, type = REG_NONE False 2
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2524860 value_name = UninstallString, type = REG_NONE False 2
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2544655 value_name = UninstallString, type = REG_NONE False 2
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2549743 value_name = UninstallString, type = REG_NONE False 2
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2565063 value_name = UninstallString, type = REG_NONE False 2
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB982573 value_name = UninstallString, type = REG_NONE False 2
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185} value_name = UninstallString, data = 0, type = REG_EXPAND_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185} value_name = UninstallString, data = 77 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185} value_name = DisplayName, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185} value_name = DisplayName, data = 77 True 1
Fn
Read Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi value_name = Uzapze, type = REG_BINARY True 1
Fn
Read Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi value_name = Akudfeen, type = REG_BINARY True 4
Fn
Read Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi value_name = Uzapze, type = REG_BINARY True 4
Fn
Read Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi value_name = Uzapze, type = REG_BINARY True 2
Fn
Read Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi value_name = Axoha, type = REG_BINARY True 1
Fn
Read Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi value_name = Axoha, type = REG_BINARY True 1
Fn
Read Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi value_name = Uzapze, type = REG_BINARY True 2
Fn
Read Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi value_name = Axoha, type = REG_BINARY True 1
Fn
Write Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi value_name = Uzapze, size = 1776, type = REG_BINARY True 1
Fn
Data
Write Value HKEY_CURRENT_USER\Software\Microsoft\Windows\Currentversion\Run value_name = containers.exe, data = "C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\containers.exe", size = 236, type = REG_SZ True 1
Fn
Write Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi value_name = Uzapze, size = 1776, type = REG_BINARY True 1
Fn
Data
Write Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi value_name = Uzapze, size = 1776, type = REG_BINARY True 1
Fn
Data
Write Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi value_name = Akudfeen, size = 531328, type = REG_BINARY True 1
Fn
Data
Write Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi value_name = Uzapze, size = 1776, type = REG_BINARY True 4
Fn
Data
Write Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi value_name = Akudfeen, size = 807168, type = REG_BINARY True 1
Fn
Data
Write Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi value_name = Akudfeen, size = 818816, type = REG_BINARY True 1
Fn
Data
Write Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi value_name = Akudfeen, size = 837968, type = REG_BINARY True 1
Fn
Data
Write Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi value_name = Uzapze, size = 1776, type = REG_BINARY True 2
Fn
Data
Write Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi value_name = Uzapze, size = 1776, type = REG_BINARY True 2
Fn
Data
Enumerate Keys HKEY_CURRENT_USER\Software\Mozilla - True 3
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Mozilla\Firefox - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Mozilla\Firefox\TaskBarIDs - False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Mozilla\Firefox - False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Mozilla - False 3
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Mozilla - True 3
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\TaskBarIDs - False 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox - False 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Mozilla - True 3
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox\53.0.3 (x86 en-GB) - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox\53.0.3 (x86 en-GB)\Main - False 3
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox\53.0.3 (x86 en-GB)\Uninstall - False 3
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox 53.0.3 - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox 53.0.3\bin - False 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox 53.0.3 - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox 53.0.3\extensions - False 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox 53.0.3 - False 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Mozilla - False 2
Fn
Enumerate Keys HKEY_CURRENT_USER\Identities - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\03fea8ae12202041b643a9691e5b323c - False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab - False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046 - False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a - False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604 - False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831 - False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec - False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046 - False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2 - False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9907df9e4a472f499f281fc91ee2bca1 - False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\b4c13fbaf5f22f44b93e8bdd93521484 - False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\dc184acfc7e1614eb31843d1abdfd43e - False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001 - False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Mozilla\Firefox - True 2
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Mozilla\Firefox\TaskBarIDs - False 2
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Mozilla\Firefox - False 2
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox - True 2
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\TaskBarIDs - False 2
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox - False 2
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox - True 2
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox\53.0.3 (x86 en-GB) - True 2
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox\53.0.3 (x86 en-GB) - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox\53.0.3 (x86 en-GB) - False 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox - False 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Mozilla - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox 53.0.3 - True 2
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox 53.0.3\bin - False 2
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox 53.0.3 - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox 53.0.3\extensions - False 2
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox 53.0.3 - False 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - False 1
Fn
Process (7395)
+
Operation Process Additional Information Success Count Logfile
Open System desired_access = PROCESS_QUERY_INFORMATION False 310
Fn
Open c:\windows\system32\smss.exe desired_access = PROCESS_QUERY_INFORMATION False 310
Fn
Open c:\windows\system32\csrss.exe desired_access = PROCESS_QUERY_INFORMATION False 310
Fn
Open c:\windows\system32\wininit.exe desired_access = PROCESS_QUERY_INFORMATION False 310
Fn
Open c:\windows\system32\csrss.exe desired_access = PROCESS_QUERY_INFORMATION False 310
Fn
Open c:\windows\system32\winlogon.exe desired_access = PROCESS_QUERY_INFORMATION False 310
Fn
Open c:\windows\system32\services.exe desired_access = PROCESS_QUERY_INFORMATION False 310
Fn
Open c:\windows\system32\lsass.exe desired_access = PROCESS_QUERY_INFORMATION False 310
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_QUERY_INFORMATION False 310
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_QUERY_INFORMATION False 310
Fn
Open c:\windows\system32\dwm.exe desired_access = PROCESS_QUERY_INFORMATION False 310
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_QUERY_INFORMATION False 310
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_QUERY_INFORMATION False 310
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_QUERY_INFORMATION False 310
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_QUERY_INFORMATION False 310
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_QUERY_INFORMATION False 310
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_QUERY_INFORMATION False 310
Fn
Open c:\windows\system32\spoolsv.exe desired_access = PROCESS_QUERY_INFORMATION False 310
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_QUERY_INFORMATION False 17
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_QUERY_INFORMATION False 310
Fn
Open c:\program files (x86)\common files\adobe\arm\1.0\armsvc.exe desired_access = PROCESS_QUERY_INFORMATION False 310
Fn
Open c:\program files\common files\microsoft shared\clicktorun\officeclicktorun.exe desired_access = PROCESS_QUERY_INFORMATION False 310
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_QUERY_INFORMATION False 310
Fn
Open c:\windows\system32\taskhostw.exe desired_access = PROCESS_QUERY_INFORMATION True 2
Fn
Open c:\windows\system32\taskhostw.exe desired_access = PROCESS_QUERY_INFORMATION True 2
Fn
Open c:\windows\explorer.exe desired_access = PROCESS_QUERY_INFORMATION True 2
Fn
Open c:\windows\system32\runtimebroker.exe desired_access = PROCESS_QUERY_INFORMATION True 2
Fn
Open c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe desired_access = PROCESS_QUERY_INFORMATION True 2
Fn
Open c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe desired_access = PROCESS_QUERY_INFORMATION True 2
Fn
Open c:\program files\microsoft office\root\office16\onenotem.exe desired_access = PROCESS_QUERY_INFORMATION True 2
Fn
Open c:\windows\system32\audiodg.exe desired_access = PROCESS_QUERY_INFORMATION False 12
Fn
Open c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\containers.exe desired_access = PROCESS_QUERY_INFORMATION True 2
Fn
Open c:\windows\system32\backgroundtaskhost.exe desired_access = PROCESS_QUERY_INFORMATION True 2
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_QUERY_INFORMATION True 2
Fn
Open c:\windows\syswow64\svchost.exe desired_access = PROCESS_QUERY_INFORMATION True 2
Fn
Open c:\windows\system32\taskhostw.exe desired_access = PROCESS_QUERY_INFORMATION True 29
Fn
Open c:\windows\system32\taskhostw.exe desired_access = PROCESS_QUERY_INFORMATION True 4
Fn
Open c:\windows\explorer.exe desired_access = PROCESS_QUERY_INFORMATION True 4
Fn
Open c:\windows\system32\runtimebroker.exe desired_access = PROCESS_QUERY_INFORMATION True 4
Fn
Open c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe desired_access = PROCESS_QUERY_INFORMATION True 4
Fn
Open c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe desired_access = PROCESS_QUERY_INFORMATION True 4
Fn
Open c:\program files\microsoft office\root\office16\onenotem.exe desired_access = PROCESS_QUERY_INFORMATION True 4
Fn
Open c:\windows\system32\backgroundtaskhost.exe desired_access = PROCESS_QUERY_INFORMATION True 4
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_QUERY_INFORMATION True 4
Fn
Open c:\windows\syswow64\svchost.exe desired_access = PROCESS_QUERY_INFORMATION True 4
Fn
Open c:\windows\system32\taskhostw.exe desired_access = PROCESS_QUERY_INFORMATION True 38
Fn
Open c:\windows\system32\taskhostw.exe desired_access = PROCESS_QUERY_INFORMATION True 20
Fn
Open c:\windows\explorer.exe desired_access = PROCESS_QUERY_INFORMATION True 20
Fn
Open c:\windows\system32\runtimebroker.exe desired_access = PROCESS_QUERY_INFORMATION True 19
Fn
Open c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe desired_access = PROCESS_QUERY_INFORMATION True 18
Fn
Open c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe desired_access = PROCESS_QUERY_INFORMATION True 18
Fn
Open c:\program files\microsoft office\root\office16\onenotem.exe desired_access = PROCESS_QUERY_INFORMATION True 18
Fn
Open c:\windows\system32\backgroundtaskhost.exe desired_access = PROCESS_QUERY_INFORMATION True 18
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_QUERY_INFORMATION True 18
Fn
Open c:\windows\syswow64\svchost.exe desired_access = PROCESS_QUERY_INFORMATION True 18
Fn
Open c:\windows\system32\taskhostw.exe desired_access = PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\windows\system32\taskhostw.exe desired_access = PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\windows\system32\taskhostw.exe desired_access = PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\windows\system32\taskhostw.exe desired_access = PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\windows\system32\taskhostw.exe desired_access = PROCESS_QUERY_INFORMATION True 2
Fn
Open c:\windows\system32\taskhostw.exe desired_access = PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\windows\system32\taskhostw.exe desired_access = PROCESS_QUERY_INFORMATION True 23
Fn
Open c:\windows\system32\taskhostw.exe desired_access = PROCESS_QUERY_INFORMATION True 5
Fn
Open c:\windows\system32\taskhostw.exe desired_access = PROCESS_QUERY_INFORMATION True 8
Fn
Open c:\windows\system32\taskhostw.exe desired_access = PROCESS_QUERY_INFORMATION True 5
Fn
Open c:\windows\system32\taskhostw.exe desired_access = PROCESS_QUERY_INFORMATION True 15
Fn
Open c:\windows\system32\taskhostw.exe desired_access = PROCESS_QUERY_INFORMATION True 52
Fn
Open c:\windows\system32\taskhostw.exe desired_access = PROCESS_QUERY_INFORMATION True 59
Fn
Open c:\windows\system32\taskhostw.exe desired_access = PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\windows\system32\taskhostw.exe desired_access = PROCESS_QUERY_INFORMATION True 2
Fn
Open c:\windows\system32\taskhostw.exe desired_access = PROCESS_QUERY_INFORMATION True 21
Fn
Open c:\windows\system32\taskhostw.exe desired_access = PROCESS_QUERY_INFORMATION True 16
Fn
Open c:\windows\system32\taskhostw.exe desired_access = PROCESS_QUERY_INFORMATION True 14
Fn
Open c:\windows\system32\taskhostw.exe desired_access = PROCESS_QUERY_INFORMATION True 26
Fn
Module (793)
+
Operation Module Additional Information Success Count Logfile
Load KERNEL32.dll base_address = 0x74990000 True 2
Fn
Load USER32.dll base_address = 0x75c90000 True 2
Fn
Load NTDLL base_address = 0x777a0000 True 4
Fn
Load advapi32.dll base_address = 0x757f0000 True 1
Fn
Load shlwapi.dll base_address = 0x77410000 True 1
Fn
Load psapi.dll base_address = 0x75780000 True 1
Fn
Load secur32.dll base_address = 0x745b0000 True 1
Fn
Load SSPICLI base_address = 0x748b0000 True 1
Fn
Load wininet.dll base_address = 0x74240000 True 1
Fn
Load crypt32.dll base_address = 0x75510000 True 1
Fn
Load urlmon.dll base_address = 0x74630000 True 1
Fn
Load ole32.dll base_address = 0x75690000 True 2
Fn
Load api-ms-win-core-com-l1-1-0 base_address = 0x75a90000 True 4
Fn
Load ADVAPI32.dll base_address = 0x757f0000 True 1
Fn
Load SHELL32.dll base_address = 0x76050000 True 1
Fn
Load SHLWAPI.dll base_address = 0x77410000 True 1
Fn
Load CRYPT32.dll base_address = 0x75510000 True 1
Fn
Load Secur32.dll base_address = 0x745b0000 True 1
Fn
Load MSVCRT.dll base_address = 0x753f0000 True 1
Fn
Load WININET.dll base_address = 0x74240000 True 1
Fn
Load Pstorec.dll base_address = 0x73a80000 True 1
Fn
Load vaultcli.dll base_address = 0x72df0000 True 1
Fn
Load Pstorec.dll base_address = 0x72e20000 True 1
Fn
Load cabinet.dll base_address = 0x73a60000 True 1
Fn
Get Handle advapi32.dll base_address = 0x0 False 1
Fn
Get Handle shlwapi.dll base_address = 0x0 False 1
Fn
Get Handle psapi.dll base_address = 0x0 False 1
Fn
Get Handle secur32.dll base_address = 0x0 False 1
Fn
Get Handle c:\windows\syswow64\oleaut32.dll base_address = 0x75dd0000 True 1
Fn
Get Filename psapi.dll process_name = c:\windows\syswow64\svchost.exe, file_name_orig = C:\Windows\SysWOW64\svchost.exe, size = 260 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InterlockedExchange, address_out = 0x749a7650 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapCreate, address_out = 0x749a9950 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapFree, address_out = 0x749a25e0 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapReAlloc, address_out = 0x777dbae0 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapAlloc, address_out = 0x777dda90 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapDestroy, address_out = 0x749ad940 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetProcessHeap, address_out = 0x749a7910 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InterlockedIncrement, address_out = 0x749a7520 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleHandleA, address_out = 0x749a9640 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = Sleep, address_out = 0x749a77b0 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LoadLibraryA, address_out = 0x749ad8d0 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LoadLibraryW, address_out = 0x749aa0b0 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetProcAddress, address_out = 0x749a7940 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleHandleW, address_out = 0x749a9660 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = LoadImageW, address_out = 0x75cc4500 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = RtlAddVectoredExceptionHandler, address_out = 0x777ff090 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = RtlInitializeCriticalSection, address_out = 0x777f95f0 True 1
Fn
Get Address c:\windows\syswow64\sspicli.dll function = GetUserNameExW, address_out = 0x748bc5f0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = RtlEnterCriticalSection, address_out = 0x777e5e80 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = RtlLeaveCriticalSection, address_out = 0x777e5e00 True 1
Fn
Get Address c:\windows\syswow64\combase.dll function = CoInitializeEx, address_out = 0x75afcd50 True 1
Fn
Get Address c:\windows\syswow64\combase.dll function = CoCreateInstance, address_out = 0x75b38200 True 1
Fn
Get Address c:\windows\syswow64\combase.dll function = CoSetProxyBlanket, address_out = 0x75b586d0 True 1
Fn
Get Address c:\windows\syswow64\combase.dll function = CoUninitialize, address_out = 0x75afdca0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseHandle, address_out = 0x749b5f20 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetSystemTime, address_out = 0x749b4a60 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FileTimeToLocalFileTime, address_out = 0x749b61c0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FileTimeToDosDateTime, address_out = 0x749b2360 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ExpandEnvironmentStringsW, address_out = 0x749ac8c0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTempPathW, address_out = 0x749b6420 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTempFileNameW, address_out = 0x749b6400 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = RemoveDirectoryW, address_out = 0x749b64e0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateFileW, address_out = 0x749b6180 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetFileAttributesW, address_out = 0x749b6510 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileAttributesW, address_out = 0x749b6340 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = DeleteFileW, address_out = 0x749b61b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindFirstFileW, address_out = 0x749b6250 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindNextFileW, address_out = 0x749b6290 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = MultiByteToWideChar, address_out = 0x749a2d60 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WideCharToMultiByte, address_out = 0x749a75a0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GlobalUnlock, address_out = 0x749a2a10 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LocalAlloc, address_out = 0x749a8840 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LocalFree, address_out = 0x749a87c0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileSize, address_out = 0x749b6360 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = MapViewOfFile, address_out = 0x749a8c10 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = UnmapViewOfFile, address_out = 0x749a94b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcmpA, address_out = 0x749ac1f0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcmpiA, address_out = 0x749a7610 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcmpiW, address_out = 0x749a7540 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcpynA, address_out = 0x749af7b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcpynW, address_out = 0x749afbe0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrlenA, address_out = 0x749b3a30 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrlenW, address_out = 0x749a2d80 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateFileMappingW, address_out = 0x749a91e0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetPrivateProfileIntW, address_out = 0x749b0420 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetPrivateProfileStringW, address_out = 0x749b08d0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetPrivateProfileSectionNamesW, address_out = 0x749b0370 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetWindowsDirectoryW, address_out = 0x749b4cc0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetDllDirectoryW, address_out = 0x749b4c10 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetVersionExW, address_out = 0x749aa2a0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindClose, address_out = 0x749b61d0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetFilePointerEx, address_out = 0x749b6540 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = DisableThreadLibraryCalls, address_out = 0x749aa0d0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ReadFile, address_out = 0x749b64a0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WriteFile, address_out = 0x749b6590 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileSizeEx, address_out = 0x749b6370 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileInformationByHandle, address_out = 0x749b6350 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WaitForSingleObject, address_out = 0x749b6110 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualFree, address_out = 0x749a8c70 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualAlloc, address_out = 0x749a8b70 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GlobalLock, address_out = 0x749a1bc0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FreeLibrary, address_out = 0x749a98f0 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = CharLowerW, address_out = 0x75d18330 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CredFree, address_out = 0x75814010 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegEnumKeyExW, address_out = 0x7580efc0 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegEnumValueW, address_out = 0x7580f020 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptDestroyHash, address_out = 0x7580fbf0 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptHashData, address_out = 0x7580f950 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptCreateHash, address_out = 0x7580f930 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptGetHashParam, address_out = 0x7580f530 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptReleaseContext, address_out = 0x75810ad0 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptAcquireContextW, address_out = 0x75810730 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegCloseKey, address_out = 0x7580efa0 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CredEnumerateW, address_out = 0x75813950 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegQueryValueExW, address_out = 0x7580ed60 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegOpenKeyExW, address_out = 0x7580ed80 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegOpenKeyW, address_out = 0x7580f590 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = SHGetFolderPathW, address_out = 0x761ce440 True 1
Fn
Get Address Unknown module name function = OleInitialize, address_out = 0x756b9c50 True 1
Fn
Get Address Unknown module name function = CoTaskMemFree, address_out = 0x75b1cf40 True 1
Fn
Get Address Unknown module name function = OleUninitialize, address_out = 0x756b9170 True 1
Fn
Get Address Unknown module name function = CreateStreamOnHGlobal, address_out = 0x75af0a50 True 1
Fn
Get Address Unknown module name function = CoCreateInstance, address_out = 0x75b38200 True 1
Fn
Get Address Unknown module name function = GetHGlobalFromStream, address_out = 0x75b41b30 True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = StrStrIA, address_out = 0x7742cd10 True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = StrStrIW, address_out = 0x774281f0 True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = StrCmpNIA, address_out = 0x77424980 True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathMatchSpecW, address_out = 0x77432090 True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathFindFileNameW, address_out = 0x774280d0 True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathCombineW, address_out = 0x7742cd50 True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = wvnsprintfW, address_out = 0x77438630 True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = wvnsprintfA, address_out = 0x774385f0 True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = StrRChrIW, address_out = 0x7742c9a0 True 1
Fn
Get Address c:\windows\syswow64\crypt32.dll function = CertOpenSystemStoreW, address_out = 0x7558e7f0 True 1
Fn
Get Address c:\windows\syswow64\crypt32.dll function = CertCloseStore, address_out = 0x7554a180 True 1
Fn
Get Address c:\windows\syswow64\crypt32.dll function = CryptUnprotectData, address_out = 0x7555af50 True 1
Fn
Get Address c:\windows\syswow64\crypt32.dll function = PFXExportCertStoreEx, address_out = 0x755c5ce0 True 1
Fn
Get Address c:\windows\syswow64\crypt32.dll function = CertEnumCertificatesInStore, address_out = 0x75530ab0 True 1
Fn
Get Address c:\windows\syswow64\secur32.dll function = GetUserNameExW, address_out = 0x748bc5f0 True 1
Fn
Get Address c:\windows\syswow64\msvcrt.dll function = memcpy, address_out = 0x754784c0 True 1
Fn
Get Address c:\windows\syswow64\msvcrt.dll function = _adjust_fdiv, address_out = 0x754a5d04 True 1
Fn
Get Address c:\windows\syswow64\msvcrt.dll function = strchr, address_out = 0x75478db0 True 1
Fn
Get Address c:\windows\syswow64\msvcrt.dll function = memmove, address_out = 0x754788d0 True 1
Fn
Get Address c:\windows\syswow64\msvcrt.dll function = malloc, address_out = 0x754378c0 True 1
Fn
Get Address c:\windows\syswow64\msvcrt.dll function = atoi, address_out = 0x7541fe30 True 1
Fn
Get Address c:\windows\syswow64\msvcrt.dll function = _vsnwprintf, address_out = 0x75466810 True 1
Fn
Get Address c:\windows\syswow64\msvcrt.dll function = _vsnprintf, address_out = 0x754663a0 True 1
Fn
Get Address c:\windows\syswow64\msvcrt.dll function = memset, address_out = 0x75478ca0 True 1
Fn
Get Address c:\windows\syswow64\msvcrt.dll function = _initterm, address_out = 0x75456880 True 1
Fn
Get Address c:\windows\syswow64\msvcrt.dll function = free, address_out = 0x75437700 True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = FindFirstUrlCacheEntryW, address_out = 0x743174e0 True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = DeleteUrlCacheEntryW, address_out = 0x742feef0 True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = FindCloseUrlCache, address_out = 0x74314780 True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = FindNextUrlCacheEntryW, address_out = 0x743184b0 True 1
Fn
Get Address Unknown module name function = PStoreCreateInstance, address_out = 0x73a81290 True 1
Fn
Get Address Unknown module name function = VaultOpenVault, address_out = 0x72df9e10 True 1
Fn
Get Address Unknown module name function = VaultCloseVault, address_out = 0x72df9e80 True 1
Fn
Get Address Unknown module name function = VaultEnumerateItems, address_out = 0x72df9c80 True 1
Fn
Get Address Unknown module name function = VaultGetItem, address_out = 0x72df9bf0 True 2
Fn
Get Address Unknown module name function = VaultFree, address_out = 0x72df9690 True 1
Fn
Get Address Unknown module name function = PStoreCreateInstance, address_out = 0x72e21290 True 1
Fn
Get Address Unknown module name function = FCICreate, address_out = 0x73a6f660 True 1
Fn
Get Address Unknown module name function = FCIAddFile, address_out = 0x73a6f580 True 1
Fn
Get Address Unknown module name function = FCIFlushCabinet, address_out = 0x73a6f870 True 1
Fn
Get Address Unknown module name function = FCIDestroy, address_out = 0x73a6f800 True 1
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\addons.json filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\addons.json, protection = PAGE_READONLY, maximum_size = 0 True 2
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\AlternateServices.txt filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\AlternateServices.txt, protection = PAGE_READONLY, maximum_size = 0 False 2
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\blocklist-addons.json filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\blocklist-addons.json, protection = PAGE_READONLY, maximum_size = 0 True 2
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\blocklist-gfx.json filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\blocklist-gfx.json, protection = PAGE_READONLY, maximum_size = 0 True 2
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\blocklist-plugins.json filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\blocklist-plugins.json, protection = PAGE_READONLY, maximum_size = 0 True 2
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\blocklist.xml filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\blocklist.xml, protection = PAGE_READONLY, maximum_size = 0 True 2
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\bookmarkbackups\bookmarks-2017-05-24_14_kL0o5I+exwq3TXuLDkMF9w==.jsonlz4 filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\bookmarkbackups\bookmarks-2017-05-24_14_kL0o5I+exwq3TXuLDkMF9w==.jsonlz4, protection = PAGE_READONLY, maximum_size = 0 True 2
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\cert8.db filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\cert8.db, protection = PAGE_READONLY, maximum_size = 0 True 2
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\compatibility.ini filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\compatibility.ini, protection = PAGE_READONLY, maximum_size = 0 True 2
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\containers.json filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\containers.json, protection = PAGE_READONLY, maximum_size = 0 True 2
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\content-prefs.sqlite filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\content-prefs.sqlite, protection = PAGE_READONLY, maximum_size = 0 True 2
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\cookies.sqlite filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\cookies.sqlite, protection = PAGE_READONLY, maximum_size = 0 True 2
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\crashes\store.json.mozlz4 filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\crashes\store.json.mozlz4, protection = PAGE_READONLY, maximum_size = 0 True 2
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\1495592260754.fe0bc3a3-866c-458a-ad46-a730981653d6.main.jsonlz4 filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\1495592260754.fe0bc3a3-866c-458a-ad46-a730981653d6.main.jsonlz4, protection = PAGE_READONLY, maximum_size = 0 True 2
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\1495592289365.f6bd7dec-4421-47ce-b829-1080689ec7ca.main.jsonlz4 filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\1495592289365.f6bd7dec-4421-47ce-b829-1080689ec7ca.main.jsonlz4, protection = PAGE_READONLY, maximum_size = 0 True 2
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\1495596278120.31e5ce24-c2bf-486b-b29e-534113b7c6dc.main.jsonlz4 filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\1495596278120.31e5ce24-c2bf-486b-b29e-534113b7c6dc.main.jsonlz4, protection = PAGE_READONLY, maximum_size = 0 True 2
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\1495597242414.2e462298-aeda-4ee5-bf23-a73bdf74947f.main.jsonlz4 filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\1495597242414.2e462298-aeda-4ee5-bf23-a73bdf74947f.main.jsonlz4, protection = PAGE_READONLY, maximum_size = 0 True 2
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\1495597261897.a7b36bf3-f762-448c-874e-9388e91739b4.main.jsonlz4 filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\1495597261897.a7b36bf3-f762-448c-874e-9388e91739b4.main.jsonlz4, protection = PAGE_READONLY, maximum_size = 0 True 2
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\1495599783008.23c86977-85eb-412a-ae39-c4c6ea9a5744.main.jsonlz4 filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\1495599783008.23c86977-85eb-412a-ae39-c4c6ea9a5744.main.jsonlz4, protection = PAGE_READONLY, maximum_size = 0 True 2
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\1495600032629.d896fec9-1a7a-4db1-a3a2-e46d95b631a5.main.jsonlz4 filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\1495600032629.d896fec9-1a7a-4db1-a3a2-e46d95b631a5.main.jsonlz4, protection = PAGE_READONLY, maximum_size = 0 True 2
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\session-state.json filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\session-state.json, protection = PAGE_READONLY, maximum_size = 0 True 2
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\state.json filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\state.json, protection = PAGE_READONLY, maximum_size = 0 True 2
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\extensions.ini filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\extensions.ini, protection = PAGE_READONLY, maximum_size = 0 True 2
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\extensions.json filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\extensions.json, protection = PAGE_READONLY, maximum_size = 0 True 2
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\formhistory.sqlite filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\formhistory.sqlite, protection = PAGE_READONLY, maximum_size = 0 True 2
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-gmpopenh264\1.6\gmpopenh264.dll filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-gmpopenh264\1.6\gmpopenh264.dll, protection = PAGE_READONLY, maximum_size = 0 True 2
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-gmpopenh264\1.6\gmpopenh264.info filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-gmpopenh264\1.6\gmpopenh264.info, protection = PAGE_READONLY, maximum_size = 0 True 2
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-widevinecdm\1.4.8.903\LICENSE.txt filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-widevinecdm\1.4.8.903\LICENSE.txt, protection = PAGE_READONLY, maximum_size = 0 True 2
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-widevinecdm\1.4.8.903\manifest.json filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-widevinecdm\1.4.8.903\manifest.json, protection = PAGE_READONLY, maximum_size = 0 True 2
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-widevinecdm\1.4.8.903\widevinecdm.dll filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-widevinecdm\1.4.8.903\widevinecdm.dll, protection = PAGE_READONLY, maximum_size = 0 True 2
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-widevinecdm\1.4.8.903\widevinecdm.dll.lib filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-widevinecdm\1.4.8.903\widevinecdm.dll.lib, protection = PAGE_READONLY, maximum_size = 0 True 2
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\key3.db filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\key3.db, protection = PAGE_READONLY, maximum_size = 0 True 2
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\kinto.sqlite filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\kinto.sqlite, protection = PAGE_READONLY, maximum_size = 0 True 2
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\mimeTypes.rdf filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\mimeTypes.rdf, protection = PAGE_READONLY, maximum_size = 0 True 2
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\parent.lock filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\parent.lock, protection = PAGE_READONLY, maximum_size = 0 False 2
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\permissions.sqlite filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\permissions.sqlite, protection = PAGE_READONLY, maximum_size = 0 True 2
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\places.sqlite filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\places.sqlite, protection = PAGE_READONLY, maximum_size = 0 True 2
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\pluginreg.dat filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\pluginreg.dat, protection = PAGE_READONLY, maximum_size = 0 True 2
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\prefs.js filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\prefs.js, protection = PAGE_READONLY, maximum_size = 0 True 2
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\revocations.txt filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\revocations.txt, protection = PAGE_READONLY, maximum_size = 0 True 2
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\saved-telemetry-pings\d896fec9-1a7a-4db1-a3a2-e46d95b631a5 filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\saved-telemetry-pings\d896fec9-1a7a-4db1-a3a2-e46d95b631a5, protection = PAGE_READONLY, maximum_size = 0 True 2
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\search.json.mozlz4 filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\search.json.mozlz4, protection = PAGE_READONLY, maximum_size = 0 True 2
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\secmod.db filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\secmod.db, protection = PAGE_READONLY, maximum_size = 0 True 2
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\SecurityPreloadState.txt filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\SecurityPreloadState.txt, protection = PAGE_READONLY, maximum_size = 0 False 2
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\sessionCheckpoints.json filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\sessionCheckpoints.json, protection = PAGE_READONLY, maximum_size = 0 True 2
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\sessionstore-backups\previous.js filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\sessionstore-backups\previous.js, protection = PAGE_READONLY, maximum_size = 0 True 2
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\sessionstore-backups\upgrade.js-20170518000419 filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\sessionstore-backups\upgrade.js-20170518000419, protection = PAGE_READONLY, maximum_size = 0 True 2
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\sessionstore.js filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\sessionstore.js, protection = PAGE_READONLY, maximum_size = 0 True 2
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\SiteSecurityServiceState.txt filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\SiteSecurityServiceState.txt, protection = PAGE_READONLY, maximum_size = 0 True 2
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\chrome\.metadata filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\chrome\.metadata, protection = PAGE_READONLY, maximum_size = 0 True 2
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\chrome\.metadata-v2 filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\chrome\.metadata-v2, protection = PAGE_READONLY, maximum_size = 0 True 2
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\chrome\idb\2918063365piupsah.sqlite filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\chrome\idb\2918063365piupsah.sqlite, protection = PAGE_READONLY, maximum_size = 0 True 2
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\moz-safe-about+home\.metadata filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\moz-safe-about+home\.metadata, protection = PAGE_READONLY, maximum_size = 0 True 2
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\moz-safe-about+home\.metadata-v2 filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\moz-safe-about+home\.metadata-v2, protection = PAGE_READONLY, maximum_size = 0 True 2
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\moz-safe-about+home\idb\818200132aebmoouht.files\1 filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\moz-safe-about+home\idb\818200132aebmoouht.files\1, protection = PAGE_READONLY, maximum_size = 0 True 2
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\moz-safe-about+home\idb\818200132aebmoouht.sqlite filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\moz-safe-about+home\idb\818200132aebmoouht.sqlite, protection = PAGE_READONLY, maximum_size = 0 True 2
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage.sqlite filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage.sqlite, protection = PAGE_READONLY, maximum_size = 0 True 2
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\times.json filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\times.json, protection = PAGE_READONLY, maximum_size = 0 True 2
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\webappsstore.sqlite filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\webappsstore.sqlite, protection = PAGE_READONLY, maximum_size = 0 True 2
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\xulstore.json filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\xulstore.json, protection = PAGE_READONLY, maximum_size = 0 True 2
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Crash Reports\InstallTime20170518000419 filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Crash Reports\InstallTime20170518000419, protection = PAGE_READONLY, maximum_size = 0 True 2
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\addons.json filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\addons.json, protection = PAGE_READONLY, maximum_size = 0 True 2
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\AlternateServices.txt filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\AlternateServices.txt, protection = PAGE_READONLY, maximum_size = 0 False 2
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\blocklist-addons.json filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\blocklist-addons.json, protection = PAGE_READONLY, maximum_size = 0 True 2
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\blocklist-gfx.json filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\blocklist-gfx.json, protection = PAGE_READONLY, maximum_size = 0 True 2
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\blocklist-plugins.json filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\blocklist-plugins.json, protection = PAGE_READONLY, maximum_size = 0 True 2
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\blocklist.xml filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\blocklist.xml, protection = PAGE_READONLY, maximum_size = 0 True 2
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\bookmarkbackups\bookmarks-2017-05-24_14_kL0o5I+exwq3TXuLDkMF9w==.jsonlz4 filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\bookmarkbackups\bookmarks-2017-05-24_14_kL0o5I+exwq3TXuLDkMF9w==.jsonlz4, protection = PAGE_READONLY, maximum_size = 0 True 2
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\cert8.db filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\cert8.db, protection = PAGE_READONLY, maximum_size = 0 True 2
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\compatibility.ini filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\compatibility.ini, protection = PAGE_READONLY, maximum_size = 0 True 2
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\containers.json filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\containers.json, protection = PAGE_READONLY, maximum_size = 0 True 2
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\content-prefs.sqlite filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\content-prefs.sqlite, protection = PAGE_READONLY, maximum_size = 0 True 2
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\cookies.sqlite filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\cookies.sqlite, protection = PAGE_READONLY, maximum_size = 0 True 2
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\crashes\store.json.mozlz4 filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\crashes\store.json.mozlz4, protection = PAGE_READONLY, maximum_size = 0 True 2
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\1495592260754.fe0bc3a3-866c-458a-ad46-a730981653d6.main.jsonlz4 filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\1495592260754.fe0bc3a3-866c-458a-ad46-a730981653d6.main.jsonlz4, protection = PAGE_READONLY, maximum_size = 0 True 2
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\1495592289365.f6bd7dec-4421-47ce-b829-1080689ec7ca.main.jsonlz4 filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\1495592289365.f6bd7dec-4421-47ce-b829-1080689ec7ca.main.jsonlz4, protection = PAGE_READONLY, maximum_size = 0 True 2
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\1495596278120.31e5ce24-c2bf-486b-b29e-534113b7c6dc.main.jsonlz4 filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\1495596278120.31e5ce24-c2bf-486b-b29e-534113b7c6dc.main.jsonlz4, protection = PAGE_READONLY, maximum_size = 0 True 2
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\1495597242414.2e462298-aeda-4ee5-bf23-a73bdf74947f.main.jsonlz4 filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\1495597242414.2e462298-aeda-4ee5-bf23-a73bdf74947f.main.jsonlz4, protection = PAGE_READONLY, maximum_size = 0 True 2
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\1495597261897.a7b36bf3-f762-448c-874e-9388e91739b4.main.jsonlz4 filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\1495597261897.a7b36bf3-f762-448c-874e-9388e91739b4.main.jsonlz4, protection = PAGE_READONLY, maximum_size = 0 True 2
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\1495599783008.23c86977-85eb-412a-ae39-c4c6ea9a5744.main.jsonlz4 filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\1495599783008.23c86977-85eb-412a-ae39-c4c6ea9a5744.main.jsonlz4, protection = PAGE_READONLY, maximum_size = 0 True 2
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\1495600032629.d896fec9-1a7a-4db1-a3a2-e46d95b631a5.main.jsonlz4 filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\1495600032629.d896fec9-1a7a-4db1-a3a2-e46d95b631a5.main.jsonlz4, protection = PAGE_READONLY, maximum_size = 0 True 2
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\session-state.json filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\session-state.json, protection = PAGE_READONLY, maximum_size = 0 True 2
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\state.json filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\state.json, protection = PAGE_READONLY, maximum_size = 0 True 2
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\extensions.ini filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\extensions.ini, protection = PAGE_READONLY, maximum_size = 0 True 2
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\extensions.json filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\extensions.json, protection = PAGE_READONLY, maximum_size = 0 True 2
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\formhistory.sqlite filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\formhistory.sqlite, protection = PAGE_READONLY, maximum_size = 0 True 2
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-gmpopenh264\1.6\gmpopenh264.dll filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-gmpopenh264\1.6\gmpopenh264.dll, protection = PAGE_READONLY, maximum_size = 0 True 2
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-gmpopenh264\1.6\gmpopenh264.info filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-gmpopenh264\1.6\gmpopenh264.info, protection = PAGE_READONLY, maximum_size = 0 True 2
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-widevinecdm\1.4.8.903\LICENSE.txt filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-widevinecdm\1.4.8.903\LICENSE.txt, protection = PAGE_READONLY, maximum_size = 0 True 2
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-widevinecdm\1.4.8.903\manifest.json filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-widevinecdm\1.4.8.903\manifest.json, protection = PAGE_READONLY, maximum_size = 0 True 2
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-widevinecdm\1.4.8.903\widevinecdm.dll filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-widevinecdm\1.4.8.903\widevinecdm.dll, protection = PAGE_READONLY, maximum_size = 0 True 2
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-widevinecdm\1.4.8.903\widevinecdm.dll.lib filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-widevinecdm\1.4.8.903\widevinecdm.dll.lib, protection = PAGE_READONLY, maximum_size = 0 True 2
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\key3.db filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\key3.db, protection = PAGE_READONLY, maximum_size = 0 True 2
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\kinto.sqlite filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\kinto.sqlite, protection = PAGE_READONLY, maximum_size = 0 True 2
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\mimeTypes.rdf filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\mimeTypes.rdf, protection = PAGE_READONLY, maximum_size = 0 True 2
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\parent.lock filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\parent.lock, protection = PAGE_READONLY, maximum_size = 0 False 2
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\permissions.sqlite filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\permissions.sqlite, protection = PAGE_READONLY, maximum_size = 0 True 2
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\places.sqlite filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\places.sqlite, protection = PAGE_READONLY, maximum_size = 0 True 2
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\pluginreg.dat filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\pluginreg.dat, protection = PAGE_READONLY, maximum_size = 0 True 2
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\prefs.js filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\prefs.js, protection = PAGE_READONLY, maximum_size = 0 True 2
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\revocations.txt filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\revocations.txt, protection = PAGE_READONLY, maximum_size = 0 True 2
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\saved-telemetry-pings\d896fec9-1a7a-4db1-a3a2-e46d95b631a5 filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\saved-telemetry-pings\d896fec9-1a7a-4db1-a3a2-e46d95b631a5, protection = PAGE_READONLY, maximum_size = 0 True 2
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\search.json.mozlz4 filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\search.json.mozlz4, protection = PAGE_READONLY, maximum_size = 0 True 2
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\secmod.db filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\secmod.db, protection = PAGE_READONLY, maximum_size = 0 True 2
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\SecurityPreloadState.txt filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\SecurityPreloadState.txt, protection = PAGE_READONLY, maximum_size = 0 False 2
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\sessionCheckpoints.json filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\sessionCheckpoints.json, protection = PAGE_READONLY, maximum_size = 0 True 2
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\sessionstore-backups\previous.js filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\sessionstore-backups\previous.js, protection = PAGE_READONLY, maximum_size = 0 True 2
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\sessionstore-backups\upgrade.js-20170518000419 filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\sessionstore-backups\upgrade.js-20170518000419, protection = PAGE_READONLY, maximum_size = 0 True 2
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\sessionstore.js filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\sessionstore.js, protection = PAGE_READONLY, maximum_size = 0 True 2
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\SiteSecurityServiceState.txt filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\SiteSecurityServiceState.txt, protection = PAGE_READONLY, maximum_size = 0 True 2
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\chrome\.metadata filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\chrome\.metadata, protection = PAGE_READONLY, maximum_size = 0 True 2
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\chrome\.metadata-v2 filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\chrome\.metadata-v2, protection = PAGE_READONLY, maximum_size = 0 True 2
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\chrome\idb\2918063365piupsah.sqlite filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\chrome\idb\2918063365piupsah.sqlite, protection = PAGE_READONLY, maximum_size = 0 True 1
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\moz-safe-about+home\.metadata filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\moz-safe-about+home\.metadata, protection = PAGE_READONLY, maximum_size = 0 True 1
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\moz-safe-about+home\.metadata-v2 filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\moz-safe-about+home\.metadata-v2, protection = PAGE_READONLY, maximum_size = 0 True 1
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\moz-safe-about+home\idb\818200132aebmoouht.files\1 filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\moz-safe-about+home\idb\818200132aebmoouht.files\1, protection = PAGE_READONLY, maximum_size = 0 True 1
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\moz-safe-about+home\idb\818200132aebmoouht.sqlite filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\moz-safe-about+home\idb\818200132aebmoouht.sqlite, protection = PAGE_READONLY, maximum_size = 0 True 1
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage.sqlite filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage.sqlite, protection = PAGE_READONLY, maximum_size = 0 True 1
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\times.json filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\times.json, protection = PAGE_READONLY, maximum_size = 0 True 1
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\webappsstore.sqlite filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\webappsstore.sqlite, protection = PAGE_READONLY, maximum_size = 0 True 1
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\xulstore.json filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\xulstore.json, protection = PAGE_READONLY, maximum_size = 0 True 1
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\\profiles.ini filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\\profiles.ini, protection = PAGE_READONLY, maximum_size = 0 True 1
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\addons.json filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\addons.json, protection = PAGE_READONLY, maximum_size = 0 True 1
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\AlternateServices.txt filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\AlternateServices.txt, protection = PAGE_READONLY, maximum_size = 0 False 1
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\blocklist-addons.json filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\blocklist-addons.json, protection = PAGE_READONLY, maximum_size = 0 True 1
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\blocklist-gfx.json filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\blocklist-gfx.json, protection = PAGE_READONLY, maximum_size = 0 True 1
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\blocklist-plugins.json filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\blocklist-plugins.json, protection = PAGE_READONLY, maximum_size = 0 True 1
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\blocklist.xml filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\blocklist.xml, protection = PAGE_READONLY, maximum_size = 0 True 1
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\bookmarkbackups\bookmarks-2017-05-24_14_kL0o5I+exwq3TXuLDkMF9w==.jsonlz4 filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\bookmarkbackups\bookmarks-2017-05-24_14_kL0o5I+exwq3TXuLDkMF9w==.jsonlz4, protection = PAGE_READONLY, maximum_size = 0 True 1
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\cert8.db filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\cert8.db, protection = PAGE_READONLY, maximum_size = 0 True 1
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\compatibility.ini filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\compatibility.ini, protection = PAGE_READONLY, maximum_size = 0 True 1
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\containers.json filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\containers.json, protection = PAGE_READONLY, maximum_size = 0 True 1
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\content-prefs.sqlite filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\content-prefs.sqlite, protection = PAGE_READONLY, maximum_size = 0 True 1
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\cookies.sqlite filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\cookies.sqlite, protection = PAGE_READONLY, maximum_size = 0 True 1
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\crashes\store.json.mozlz4 filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\crashes\store.json.mozlz4, protection = PAGE_READONLY, maximum_size = 0 True 1
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\1495592260754.fe0bc3a3-866c-458a-ad46-a730981653d6.main.jsonlz4 filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\1495592260754.fe0bc3a3-866c-458a-ad46-a730981653d6.main.jsonlz4, protection = PAGE_READONLY, maximum_size = 0 True 1
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\1495592289365.f6bd7dec-4421-47ce-b829-1080689ec7ca.main.jsonlz4 filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\1495592289365.f6bd7dec-4421-47ce-b829-1080689ec7ca.main.jsonlz4, protection = PAGE_READONLY, maximum_size = 0 True 1
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\1495596278120.31e5ce24-c2bf-486b-b29e-534113b7c6dc.main.jsonlz4 filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\1495596278120.31e5ce24-c2bf-486b-b29e-534113b7c6dc.main.jsonlz4, protection = PAGE_READONLY, maximum_size = 0 True 1
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\1495597242414.2e462298-aeda-4ee5-bf23-a73bdf74947f.main.jsonlz4 filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\1495597242414.2e462298-aeda-4ee5-bf23-a73bdf74947f.main.jsonlz4, protection = PAGE_READONLY, maximum_size = 0 True 1
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\1495597261897.a7b36bf3-f762-448c-874e-9388e91739b4.main.jsonlz4 filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\1495597261897.a7b36bf3-f762-448c-874e-9388e91739b4.main.jsonlz4, protection = PAGE_READONLY, maximum_size = 0 True 1
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\1495599783008.23c86977-85eb-412a-ae39-c4c6ea9a5744.main.jsonlz4 filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\1495599783008.23c86977-85eb-412a-ae39-c4c6ea9a5744.main.jsonlz4, protection = PAGE_READONLY, maximum_size = 0 True 1
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\1495600032629.d896fec9-1a7a-4db1-a3a2-e46d95b631a5.main.jsonlz4 filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\1495600032629.d896fec9-1a7a-4db1-a3a2-e46d95b631a5.main.jsonlz4, protection = PAGE_READONLY, maximum_size = 0 True 1
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\session-state.json filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\session-state.json, protection = PAGE_READONLY, maximum_size = 0 True 1
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\state.json filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\state.json, protection = PAGE_READONLY, maximum_size = 0 True 1
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\extensions.ini filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\extensions.ini, protection = PAGE_READONLY, maximum_size = 0 True 1
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\extensions.json filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\extensions.json, protection = PAGE_READONLY, maximum_size = 0 True 1
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\formhistory.sqlite filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\formhistory.sqlite, protection = PAGE_READONLY, maximum_size = 0 True 1
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-gmpopenh264\1.6\gmpopenh264.dll filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-gmpopenh264\1.6\gmpopenh264.dll, protection = PAGE_READONLY, maximum_size = 0 True 1
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-gmpopenh264\1.6\gmpopenh264.info filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-gmpopenh264\1.6\gmpopenh264.info, protection = PAGE_READONLY, maximum_size = 0 True 1
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-widevinecdm\1.4.8.903\LICENSE.txt filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-widevinecdm\1.4.8.903\LICENSE.txt, protection = PAGE_READONLY, maximum_size = 0 True 1
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-widevinecdm\1.4.8.903\manifest.json filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-widevinecdm\1.4.8.903\manifest.json, protection = PAGE_READONLY, maximum_size = 0 True 1
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-widevinecdm\1.4.8.903\widevinecdm.dll filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-widevinecdm\1.4.8.903\widevinecdm.dll, protection = PAGE_READONLY, maximum_size = 0 True 1
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-widevinecdm\1.4.8.903\widevinecdm.dll.lib filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-widevinecdm\1.4.8.903\widevinecdm.dll.lib, protection = PAGE_READONLY, maximum_size = 0 True 1
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\key3.db filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\key3.db, protection = PAGE_READONLY, maximum_size = 0 True 1
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\kinto.sqlite filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\kinto.sqlite, protection = PAGE_READONLY, maximum_size = 0 True 1
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\mimeTypes.rdf filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\mimeTypes.rdf, protection = PAGE_READONLY, maximum_size = 0 True 1
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\parent.lock filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\parent.lock, protection = PAGE_READONLY, maximum_size = 0 False 1
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\permissions.sqlite filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\permissions.sqlite, protection = PAGE_READONLY, maximum_size = 0 True 1
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\places.sqlite filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\places.sqlite, protection = PAGE_READONLY, maximum_size = 0 True 1
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\pluginreg.dat filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\pluginreg.dat, protection = PAGE_READONLY, maximum_size = 0 True 1
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\prefs.js filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\prefs.js, protection = PAGE_READONLY, maximum_size = 0 True 1
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\revocations.txt filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\revocations.txt, protection = PAGE_READONLY, maximum_size = 0 True 1
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\saved-telemetry-pings\d896fec9-1a7a-4db1-a3a2-e46d95b631a5 filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\saved-telemetry-pings\d896fec9-1a7a-4db1-a3a2-e46d95b631a5, protection = PAGE_READONLY, maximum_size = 0 True 1
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\search.json.mozlz4 filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\search.json.mozlz4, protection = PAGE_READONLY, maximum_size = 0 True 1
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\secmod.db filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\secmod.db, protection = PAGE_READONLY, maximum_size = 0 True 1
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\SecurityPreloadState.txt filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\SecurityPreloadState.txt, protection = PAGE_READONLY, maximum_size = 0 False 1
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\sessionCheckpoints.json filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\sessionCheckpoints.json, protection = PAGE_READONLY, maximum_size = 0 True 1
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\sessionstore-backups\previous.js filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\sessionstore-backups\previous.js, protection = PAGE_READONLY, maximum_size = 0 True 1
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\sessionstore-backups\upgrade.js-20170518000419 filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\sessionstore-backups\upgrade.js-20170518000419, protection = PAGE_READONLY, maximum_size = 0 True 1
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\sessionstore.js filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\sessionstore.js, protection = PAGE_READONLY, maximum_size = 0 True 1
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\SiteSecurityServiceState.txt filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\SiteSecurityServiceState.txt, protection = PAGE_READONLY, maximum_size = 0 True 1
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\chrome\.metadata filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\chrome\.metadata, protection = PAGE_READONLY, maximum_size = 0 True 1
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\chrome\.metadata-v2 filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\chrome\.metadata-v2, protection = PAGE_READONLY, maximum_size = 0 True 1
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\chrome\idb\2918063365piupsah.sqlite filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\chrome\idb\2918063365piupsah.sqlite, protection = PAGE_READONLY, maximum_size = 0 True 1
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\moz-safe-about+home\.metadata filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\moz-safe-about+home\.metadata, protection = PAGE_READONLY, maximum_size = 0 True 1
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\moz-safe-about+home\.metadata-v2 filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\moz-safe-about+home\.metadata-v2, protection = PAGE_READONLY, maximum_size = 0 True 1
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\moz-safe-about+home\idb\818200132aebmoouht.files\1 filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\moz-safe-about+home\idb\818200132aebmoouht.files\1, protection = PAGE_READONLY, maximum_size = 0 True 1
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\moz-safe-about+home\idb\818200132aebmoouht.sqlite filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\moz-safe-about+home\idb\818200132aebmoouht.sqlite, protection = PAGE_READONLY, maximum_size = 0 True 1
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage.sqlite filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage.sqlite, protection = PAGE_READONLY, maximum_size = 0 True 1
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\times.json filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\times.json, protection = PAGE_READONLY, maximum_size = 0 True 1
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\webappsstore.sqlite filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\webappsstore.sqlite, protection = PAGE_READONLY, maximum_size = 0 True 1
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\xulstore.json filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\xulstore.json, protection = PAGE_READONLY, maximum_size = 0 True 1
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Crash Reports\InstallTime20170518000419 filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Crash Reports\InstallTime20170518000419, protection = PAGE_READONLY, maximum_size = 0 True 1
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\addons.json filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\addons.json, protection = PAGE_READONLY, maximum_size = 0 True 1
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\AlternateServices.txt filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\AlternateServices.txt, protection = PAGE_READONLY, maximum_size = 0 False 1
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\blocklist-addons.json filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\blocklist-addons.json, protection = PAGE_READONLY, maximum_size = 0 True 1
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\blocklist-gfx.json filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\blocklist-gfx.json, protection = PAGE_READONLY, maximum_size = 0 True 1
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\blocklist-plugins.json filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\blocklist-plugins.json, protection = PAGE_READONLY, maximum_size = 0 True 1
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\blocklist.xml filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\blocklist.xml, protection = PAGE_READONLY, maximum_size = 0 True 1
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\bookmarkbackups\bookmarks-2017-05-24_14_kL0o5I+exwq3TXuLDkMF9w==.jsonlz4 filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\bookmarkbackups\bookmarks-2017-05-24_14_kL0o5I+exwq3TXuLDkMF9w==.jsonlz4, protection = PAGE_READONLY, maximum_size = 0 True 1
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\cert8.db filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\cert8.db, protection = PAGE_READONLY, maximum_size = 0 True 1
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\compatibility.ini filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\compatibility.ini, protection = PAGE_READONLY, maximum_size = 0 True 1
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\containers.json filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\containers.json, protection = PAGE_READONLY, maximum_size = 0 True 1
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\content-prefs.sqlite filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\content-prefs.sqlite, protection = PAGE_READONLY, maximum_size = 0 True 1
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\cookies.sqlite filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\cookies.sqlite, protection = PAGE_READONLY, maximum_size = 0 True 1
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\crashes\store.json.mozlz4 filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\crashes\store.json.mozlz4, protection = PAGE_READONLY, maximum_size = 0 True 1
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\1495592260754.fe0bc3a3-866c-458a-ad46-a730981653d6.main.jsonlz4 filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\1495592260754.fe0bc3a3-866c-458a-ad46-a730981653d6.main.jsonlz4, protection = PAGE_READONLY, maximum_size = 0 True 1
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\1495592289365.f6bd7dec-4421-47ce-b829-1080689ec7ca.main.jsonlz4 filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\1495592289365.f6bd7dec-4421-47ce-b829-1080689ec7ca.main.jsonlz4, protection = PAGE_READONLY, maximum_size = 0 True 1
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\1495596278120.31e5ce24-c2bf-486b-b29e-534113b7c6dc.main.jsonlz4 filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\1495596278120.31e5ce24-c2bf-486b-b29e-534113b7c6dc.main.jsonlz4, protection = PAGE_READONLY, maximum_size = 0 True 1
Fn
Create Mapping C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\1495597242414.2e462298-aeda-4ee5-bf23-a73bdf74947f.main.jsonlz4 filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\1495597242414.2e462298-aeda-4ee5-bf23-a73bdf74947f.main.jsonlz4, protection = PAGE_READONLY, maximum_size = 0 True 1
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\addons.json process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 2
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\blocklist-addons.json process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 2
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\blocklist-gfx.json process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 2
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\blocklist-plugins.json process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 2
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\blocklist.xml process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 2
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\bookmarkbackups\bookmarks-2017-05-24_14_kL0o5I+exwq3TXuLDkMF9w==.jsonlz4 process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 2
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\cert8.db process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 2
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\compatibility.ini process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 2
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\containers.json process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 2
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\content-prefs.sqlite process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 2
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\cookies.sqlite process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 2
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\crashes\store.json.mozlz4 process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 2
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\1495592260754.fe0bc3a3-866c-458a-ad46-a730981653d6.main.jsonlz4 process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 2
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\1495592289365.f6bd7dec-4421-47ce-b829-1080689ec7ca.main.jsonlz4 process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 2
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\1495596278120.31e5ce24-c2bf-486b-b29e-534113b7c6dc.main.jsonlz4 process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 2
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\1495597242414.2e462298-aeda-4ee5-bf23-a73bdf74947f.main.jsonlz4 process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 2
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\1495597261897.a7b36bf3-f762-448c-874e-9388e91739b4.main.jsonlz4 process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 2
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\1495599783008.23c86977-85eb-412a-ae39-c4c6ea9a5744.main.jsonlz4 process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 2
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\1495600032629.d896fec9-1a7a-4db1-a3a2-e46d95b631a5.main.jsonlz4 process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 2
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\session-state.json process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 2
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\state.json process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 2
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\extensions.ini process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 2
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\extensions.json process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 2
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\formhistory.sqlite process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 2
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-gmpopenh264\1.6\gmpopenh264.dll process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 1
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-gmpopenh264\1.6\gmpopenh264.info process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 2
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-widevinecdm\1.4.8.903\LICENSE.txt process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 2
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-widevinecdm\1.4.8.903\manifest.json process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 2
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-widevinecdm\1.4.8.903\widevinecdm.dll process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 1
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-widevinecdm\1.4.8.903\widevinecdm.dll.lib process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 2
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\key3.db process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 2
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\kinto.sqlite process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 1
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\mimeTypes.rdf process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 2
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\permissions.sqlite process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 2
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\places.sqlite process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 1
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\pluginreg.dat process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 2
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\prefs.js process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 2
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\revocations.txt process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 2
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\saved-telemetry-pings\d896fec9-1a7a-4db1-a3a2-e46d95b631a5 process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 2
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\search.json.mozlz4 process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 2
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\secmod.db process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 2
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\sessionCheckpoints.json process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 2
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\sessionstore-backups\previous.js process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 2
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\sessionstore-backups\upgrade.js-20170518000419 process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 2
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\sessionstore.js process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 2
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\SiteSecurityServiceState.txt process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 2
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\chrome\.metadata process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 2
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\chrome\.metadata-v2 process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 2
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\chrome\idb\2918063365piupsah.sqlite process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 2
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\moz-safe-about+home\.metadata process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 2
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\moz-safe-about+home\.metadata-v2 process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 2
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\moz-safe-about+home\idb\818200132aebmoouht.files\1 process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 1
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\moz-safe-about+home\idb\818200132aebmoouht.sqlite process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 2
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage.sqlite process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 2
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\times.json process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 2
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\webappsstore.sqlite process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 2
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\xulstore.json process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 2
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Crash Reports\InstallTime20170518000419 process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 2
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\addons.json process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 2
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\blocklist-addons.json process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 2
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\blocklist-gfx.json process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 2
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\blocklist-plugins.json process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 2
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\blocklist.xml process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 2
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\bookmarkbackups\bookmarks-2017-05-24_14_kL0o5I+exwq3TXuLDkMF9w==.jsonlz4 process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 2
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\cert8.db process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 2
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\compatibility.ini process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 2
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\containers.json process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 2
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\content-prefs.sqlite process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 2
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\cookies.sqlite process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 2
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\crashes\store.json.mozlz4 process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 2
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\1495592260754.fe0bc3a3-866c-458a-ad46-a730981653d6.main.jsonlz4 process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 2
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\1495592289365.f6bd7dec-4421-47ce-b829-1080689ec7ca.main.jsonlz4 process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 2
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\1495596278120.31e5ce24-c2bf-486b-b29e-534113b7c6dc.main.jsonlz4 process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 2
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\1495597242414.2e462298-aeda-4ee5-bf23-a73bdf74947f.main.jsonlz4 process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 2
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\1495597261897.a7b36bf3-f762-448c-874e-9388e91739b4.main.jsonlz4 process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 2
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\1495599783008.23c86977-85eb-412a-ae39-c4c6ea9a5744.main.jsonlz4 process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 2
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\1495600032629.d896fec9-1a7a-4db1-a3a2-e46d95b631a5.main.jsonlz4 process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 2
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\session-state.json process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 2
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\state.json process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 2
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\extensions.ini process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 2
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\extensions.json process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 2
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\formhistory.sqlite process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 2
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-gmpopenh264\1.6\gmpopenh264.dll process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 1
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-gmpopenh264\1.6\gmpopenh264.info process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 2
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-widevinecdm\1.4.8.903\LICENSE.txt process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 2
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-widevinecdm\1.4.8.903\manifest.json process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 2
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-widevinecdm\1.4.8.903\widevinecdm.dll process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 1
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-widevinecdm\1.4.8.903\widevinecdm.dll.lib process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 2
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\key3.db process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 2
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\kinto.sqlite process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 1
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\mimeTypes.rdf process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 2
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\permissions.sqlite process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 2
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\places.sqlite process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 1
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\pluginreg.dat process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 2
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\prefs.js process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 2
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\revocations.txt process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 2
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\saved-telemetry-pings\d896fec9-1a7a-4db1-a3a2-e46d95b631a5 process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 2
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\search.json.mozlz4 process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 2
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\secmod.db process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 2
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\sessionCheckpoints.json process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 2
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\sessionstore-backups\previous.js process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 2
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\sessionstore-backups\upgrade.js-20170518000419 process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 2
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\sessionstore.js process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 2
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\SiteSecurityServiceState.txt process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 2
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\chrome\.metadata process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 2
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\chrome\.metadata-v2 process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 2
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\chrome\idb\2918063365piupsah.sqlite process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 1
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\moz-safe-about+home\.metadata process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 1
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\moz-safe-about+home\.metadata-v2 process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 1
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\moz-safe-about+home\idb\818200132aebmoouht.files\1 process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 1
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\moz-safe-about+home\idb\818200132aebmoouht.sqlite process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 1
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage.sqlite process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 1
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\times.json process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 1
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\webappsstore.sqlite process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 1
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\xulstore.json process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 1
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\\profiles.ini process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 1
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\addons.json process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 1
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\blocklist-addons.json process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 1
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\blocklist-gfx.json process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 1
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\blocklist-plugins.json process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 1
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\blocklist.xml process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 1
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\bookmarkbackups\bookmarks-2017-05-24_14_kL0o5I+exwq3TXuLDkMF9w==.jsonlz4 process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 1
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\cert8.db process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 1
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\compatibility.ini process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 1
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\containers.json process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 1
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\content-prefs.sqlite process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 1
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\cookies.sqlite process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 1
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\crashes\store.json.mozlz4 process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 1
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\1495592260754.fe0bc3a3-866c-458a-ad46-a730981653d6.main.jsonlz4 process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 1
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\1495592289365.f6bd7dec-4421-47ce-b829-1080689ec7ca.main.jsonlz4 process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 1
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\1495596278120.31e5ce24-c2bf-486b-b29e-534113b7c6dc.main.jsonlz4 process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 1
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\1495597242414.2e462298-aeda-4ee5-bf23-a73bdf74947f.main.jsonlz4 process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 1
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\1495597261897.a7b36bf3-f762-448c-874e-9388e91739b4.main.jsonlz4 process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 1
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\1495599783008.23c86977-85eb-412a-ae39-c4c6ea9a5744.main.jsonlz4 process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 1
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\1495600032629.d896fec9-1a7a-4db1-a3a2-e46d95b631a5.main.jsonlz4 process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 1
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\session-state.json process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 1
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\state.json process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 1
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\extensions.ini process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 1
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\extensions.json process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 1
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\formhistory.sqlite process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 1
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-gmpopenh264\1.6\gmpopenh264.dll process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 1
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-gmpopenh264\1.6\gmpopenh264.info process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 1
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-widevinecdm\1.4.8.903\LICENSE.txt process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 1
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-widevinecdm\1.4.8.903\manifest.json process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 1
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-widevinecdm\1.4.8.903\widevinecdm.dll process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 1
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-widevinecdm\1.4.8.903\widevinecdm.dll.lib process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 1
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\key3.db process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 1
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\kinto.sqlite process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 1
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\mimeTypes.rdf process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 1
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\permissions.sqlite process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 1
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\places.sqlite process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 1
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\pluginreg.dat process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 1
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\prefs.js process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 1
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\revocations.txt process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 1
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\saved-telemetry-pings\d896fec9-1a7a-4db1-a3a2-e46d95b631a5 process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 1
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\search.json.mozlz4 process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 1
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\secmod.db process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 1
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\sessionCheckpoints.json process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 1
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\sessionstore-backups\previous.js process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 1
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\sessionstore-backups\upgrade.js-20170518000419 process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 1
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\sessionstore.js process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 1
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\SiteSecurityServiceState.txt process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 1
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\chrome\.metadata process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 1
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\chrome\.metadata-v2 process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 1
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\chrome\idb\2918063365piupsah.sqlite process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 1
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\moz-safe-about+home\.metadata process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 1
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\moz-safe-about+home\.metadata-v2 process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 1
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\moz-safe-about+home\idb\818200132aebmoouht.files\1 process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 1
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\moz-safe-about+home\idb\818200132aebmoouht.sqlite process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 1
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage.sqlite process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 1
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\times.json process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 1
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\webappsstore.sqlite process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 1
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\xulstore.json process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 1
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Crash Reports\InstallTime20170518000419 process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 1
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\addons.json process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 1
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\blocklist-addons.json process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 1
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\blocklist-gfx.json process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 1
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\blocklist-plugins.json process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 1
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\blocklist.xml process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 1
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\bookmarkbackups\bookmarks-2017-05-24_14_kL0o5I+exwq3TXuLDkMF9w==.jsonlz4 process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 1
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\cert8.db process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 1
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\compatibility.ini process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 1
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\containers.json process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 1
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\content-prefs.sqlite process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 1
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\cookies.sqlite process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 1
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\crashes\store.json.mozlz4 process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 1
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\1495592260754.fe0bc3a3-866c-458a-ad46-a730981653d6.main.jsonlz4 process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 1
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\1495592289365.f6bd7dec-4421-47ce-b829-1080689ec7ca.main.jsonlz4 process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 1
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\1495596278120.31e5ce24-c2bf-486b-b29e-534113b7c6dc.main.jsonlz4 process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 1
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\1495597242414.2e462298-aeda-4ee5-bf23-a73bdf74947f.main.jsonlz4 process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 1
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-gmpopenh264\1.6\gmpopenh264.dll process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 1
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-widevinecdm\1.4.8.903\widevinecdm.dll process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 1
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\kinto.sqlite process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 1
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\places.sqlite process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 1
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\moz-safe-about+home\idb\818200132aebmoouht.files\1 process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 1
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-gmpopenh264\1.6\gmpopenh264.dll process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 1
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-widevinecdm\1.4.8.903\widevinecdm.dll process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 1
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\kinto.sqlite process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 1
Fn
Map C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\places.sqlite process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ True 1
Fn
System (3863)
+
Operation Additional Information Success Count Logfile
Open Certificate Store - True 1
Fn
Sleep duration = -1 (infinite) False 2
Fn
Sleep duration = -1 (infinite) True 248
Fn
Sleep duration = 300000 milliseconds (300.000 seconds) True 2
Fn
Sleep duration = 300000 milliseconds (300.000 seconds) False 1
Fn
Get Time type = Local Time, time = 2017-11-30 14:40:00 (Local Time) True 1
Fn
Get Time type = System Time, time = 2017-11-30 03:40:00 (UTC) True 1
Fn
Get Time type = Local Time, time = 2017-11-30 14:40:01 (Local Time) True 3
Fn
Get Time type = System Time, time = 2017-11-30 03:40:01 (UTC) True 8
Fn
Get Time type = Ticks, time = 174984 True 1
Fn
Get Time type = System Time, time = 2017-11-30 03:40:02 (UTC) True 14
Fn
Get Time type = System Time, time = 2017-11-30 03:40:03 (UTC) True 1
Fn
Get Time type = System Time, time = 2017-11-30 03:41:01 (UTC) True 1
Fn
Get Time type = System Time, time = 2017-11-30 03:41:03 (UTC) True 2
Fn
Get Time type = System Time, time = 2017-11-30 03:41:04 (UTC) True 2
Fn
Get Time type = System Time, time = 2017-11-30 03:41:06 (UTC) True 2
Fn
Get Time type = System Time, time = 2017-11-30 03:41:07 (UTC) True 10
Fn
Get Time type = System Time, time = 2017-11-30 03:41:08 (UTC) True 9
Fn
Get Info type = Operating System False 2929
Fn
Get Info type = Hardware Information True 4
Fn
Get Info type = SYSTEM_PROCESS_INFORMATION False 310
Fn
Get Info type = SYSTEM_PROCESS_INFORMATION True 310
Fn
Get Info type = Windows Directory, result_out = C:\Windows True 1
Fn
Mutex (224)
+
Operation Additional Information Success Count Logfile
Create mutex_name = 8EB663269EDB2551D78D6BE980D8D1D5 True 1
Fn
Create mutex_name = BA375714EF21E8EC8F43FB71FA3700CC True 1
Fn
Create mutex_name = 3A05CFF4EB7DE2EF8F3985678370FA5D True 1
Fn
Create mutex_name = 99DCC4F63896BA52D9D5D3F7098E00E5 True 1
Fn
Create mutex_name = BA375714EF21E8EC8F43FB71FA3700CC True 1
Fn
Create mutex_name = 55A4DE17653FCFB535BFCEB7986C3B1D True 1
Fn
Create mutex_name = BA375714EF21E8EC8F43FB71FA3700CC True 1
Fn
Create mutex_name = 843724E431E9542E94836F8E62819404 True 1
Fn
Create mutex_name = BA375714EF21E8EC8F43FB71FA3700CC True 1
Fn
Create mutex_name = ACD86ED691154353041C7827C4241C0D True 1
Fn
Create mutex_name = BA6E0713253533C2BD32E023F51DAAB1 True 1
Fn
Create mutex_name = BA375714EF21E8EC8F43FB71FA3700CC True 1
Fn
Create mutex_name = BA375714EF21E8EC8F43FB71FA3700CC True 1
Fn
Create mutex_name = BA375714EF21E8EC8F43FB71FA3700CC True 1
Fn
Create mutex_name = BA375714EF21E8EC8F43FB71FA3700CC True 6
Fn
Create mutex_name = BA375714EF21E8EC8F43FB71FA3700CC True 4
Fn
Create mutex_name = BA375714EF21E8EC8F43FB71FA3700CC True 3
Fn
Create mutex_name = BA375714EF21E8EC8F43FB71FA3700CC True 2
Fn
Create mutex_name = 8E6BA92214C9B423A575DAF2D449D162 True 1
Fn
Create mutex_name = BA375714EF21E8EC8F43FB71FA3700CC True 5
Fn
Create mutex_name = BA375714EF21E8EC8F43FB71FA3700CC True 20
Fn
Create mutex_name = BA375714EF21E8EC8F43FB71FA3700CC True 3
Fn
Create mutex_name = BA375714EF21E8EC8F43FB71FA3700CC True 1
Fn
Create mutex_name = BA375714EF21E8EC8F43FB71FA3700CC True 9
Fn
Create mutex_name = 1F6114CF197C565BFF427879E00139DA True 4
Fn
Create mutex_name = BA375714EF21E8EC8F43FB71FA3700CC True 1
Fn
Create mutex_name = BA375714EF21E8EC8F43FB71FA3700CC True 1
Fn
Create mutex_name = BA375714EF21E8EC8F43FB71FA3700CC True 18
Fn
Create mutex_name = BA375714EF21E8EC8F43FB71FA3700CC True 10
Fn
Create mutex_name = 99DCC4F63896BA52D9D5D3F7098E00E5 True 1
Fn
Create mutex_name = BA375714EF21E8EC8F43FB71FA3700CC True 1
Fn
Create mutex_name = BA375714EF21E8EC8F43FB71FA3700CC True 1
Fn
Create mutex_name = BA375714EF21E8EC8F43FB71FA3700CC True 9
Fn
Create mutex_name = 99DCC4F63896BA52D9D5D3F7098E00E5 True 1
Fn
Release mutex_name = BA375714EF21E8EC8F43FB71FA3700CC True 1
Fn
Release mutex_name = 99DCC4F63896BA52D9D5D3F7098E00E5 True 1
Fn
Release mutex_name = BA375714EF21E8EC8F43FB71FA3700CC True 1
Fn
Release mutex_name = BA375714EF21E8EC8F43FB71FA3700CC True 1
Fn
Release mutex_name = BA375714EF21E8EC8F43FB71FA3700CC True 1
Fn
Release mutex_name = BA375714EF21E8EC8F43FB71FA3700CC True 1
Fn
Release mutex_name = BA375714EF21E8EC8F43FB71FA3700CC True 1
Fn
Release mutex_name = BA375714EF21E8EC8F43FB71FA3700CC True 1
Fn
Release mutex_name = BA375714EF21E8EC8F43FB71FA3700CC True 6
Fn
Release - True 1
Fn
Release mutex_name = BA375714EF21E8EC8F43FB71FA3700CC True 4
Fn
Release mutex_name = BA375714EF21E8EC8F43FB71FA3700CC True 1
Fn
Release mutex_name = BA375714EF21E8EC8F43FB71FA3700CC True 3
Fn
Release mutex_name = BA375714EF21E8EC8F43FB71FA3700CC True 3
Fn
Release mutex_name = BA375714EF21E8EC8F43FB71FA3700CC True 10
Fn
Release mutex_name = BA375714EF21E8EC8F43FB71FA3700CC True 5
Fn
Release mutex_name = BA375714EF21E8EC8F43FB71FA3700CC True 2
Fn
Release mutex_name = 8E6BA92214C9B423A575DAF2D449D162 True 1
Fn
Release mutex_name = BA375714EF21E8EC8F43FB71FA3700CC True 16
Fn
Release mutex_name = 1F6114CF197C565BFF427879E00139DA True 4
Fn
Release mutex_name = BA375714EF21E8EC8F43FB71FA3700CC True 1
Fn
Release mutex_name = BA375714EF21E8EC8F43FB71FA3700CC True 1
Fn
Release mutex_name = BA375714EF21E8EC8F43FB71FA3700CC True 18
Fn
Release mutex_name = BA375714EF21E8EC8F43FB71FA3700CC True 11
Fn
Release mutex_name = 99DCC4F63896BA52D9D5D3F7098E00E5 True 1
Fn
Release mutex_name = BA375714EF21E8EC8F43FB71FA3700CC True 1
Fn
Release mutex_name = BA375714EF21E8EC8F43FB71FA3700CC True 1
Fn
Release mutex_name = BA375714EF21E8EC8F43FB71FA3700CC True 10
Fn
Release mutex_name = 99DCC4F63896BA52D9D5D3F7098E00E5 True 1
Fn
Ini (12)
+
Operation Filename Additional Information Success Count Logfile
Enumerate Sections C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\profiles.ini data_out = General, size = 65000 True 4
Fn
Read C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\profiles.ini section_name = Profile0, key_name = Path, data_out = Profiles/8i341t8m.default True 4
Fn
Read C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\profiles.ini section_name = Profile0, key_name = IsRelative, default_value = 1 True 4
Fn
Network Behavior
HTTP Sessions (26)
+
Information Value
Total Data Sent 17.27 KB (17684 bytes)
Total Data Received 983.33 KB (1006931 bytes)
Contacted Host Count 2
Contacted Hosts 330f35e9f647.loan, google.com
HTTP Session #1
+
Information Value
User Agent Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Server Name 330f35e9f647.loan
Server Port 443
Data Sent 0.68 KB (700 bytes)
Data Received 0.19 KB (196 bytes)
Operations
Operation Additional Information Success Count Logfile
Open Session user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729), access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = HTTP, server_name = 330f35e9f647.loan, server_port = 443 True 1
Fn
Open HTTP Request http_verb = POST, http_version = HTTP 1.1, target_resource = /KbnKhnNec/qN/5/yGGXDaERSOtCLSf9QC/g, accept_types = 84246528, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_HYPERLINK, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Send HTTP Request headers = Connection: close , url = 330f35e9f647.loan/KbnKhnNec/qN/5/yGGXDaERSOtCLSf9QC/g False 1
Fn
Send HTTP Request headers = Connection: close , url = 330f35e9f647.loan/KbnKhnNec/qN/5/yGGXDaERSOtCLSf9QC/g True 1
Fn
Data
Query HTTP Info flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 True 1
Fn
Data
Read Response size = 4096, size_out = 192 True 1
Fn
Data
Read Response size = 4096, size_out = 0 True 1
Fn
Close Session - True 1
Fn
HTTP Session #2
+
Information Value
User Agent Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Server Name 330f35e9f647.loan
Server Port 443
Data Sent 0.68 KB (694 bytes)
Data Received 0.19 KB (196 bytes)
Operations
Operation Additional Information Success Count Logfile
Open Session user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729), access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = HTTP, server_name = 330f35e9f647.loan, server_port = 443 True 1
Fn
Open HTTP Request http_verb = POST, http_version = HTTP 1.1, target_resource = /rSps/ke9sIH_-V/lJ/DI/sKWc/MRONw/, accept_types = 84246528, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_HYPERLINK, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Send HTTP Request headers = Connection: close , url = 330f35e9f647.loan/rSps/ke9sIH_-V/lJ/DI/sKWc/MRONw/ False 1
Fn
Send HTTP Request headers = Connection: close , url = 330f35e9f647.loan/rSps/ke9sIH_-V/lJ/DI/sKWc/MRONw/ True 1
Fn
Data
Query HTTP Info flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 True 1
Fn
Data
Read Response size = 4096, size_out = 192 True 1
Fn
Data
Read Response size = 4096, size_out = 0 True 1
Fn
Close Session - True 21
Fn
HTTP Session #3
+
Information Value
User Agent Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Server Name google.com
Server Port 80
Data Sent 0.29 KB (300 bytes)
Data Received 43.26 KB (44303 bytes)
Operations
Operation Additional Information Success Count Logfile
Open Session user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729), access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = HTTP, server_name = google.com, server_port = 80 True 1
Fn
Open HTTP Request http_verb = GET, http_version = HTTP 1.1, target_resource = /, accept_types = 84246528, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_HYPERLINK, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Send HTTP Request headers = Connection: close , url = google.com/ True 1
Fn
Query HTTP Info flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 10
Fn
Data
Read Response size = 4096, size_out = 3339 True 1
Fn
Data
Read Response size = 4096, size_out = 0 True 1
Fn
Close Session - True 4
Fn
HTTP Session #4
+
Information Value
User Agent Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Server Name 330f35e9f647.loan
Server Port 443
Data Sent 0.68 KB (698 bytes)
Data Received 0.19 KB (196 bytes)
Operations
Operation Additional Information Success Count Logfile
Open Session user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729), access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = HTTP, server_name = 330f35e9f647.loan, server_port = 443 True 1
Fn
Open HTTP Request http_verb = POST, http_version = HTTP 1.1, target_resource = /1R52/0u4pYTz_/ExM/AI/4f/XM8U/L/d/g, accept_types = 84246528, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_HYPERLINK, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Send HTTP Request headers = Connection: close , url = 330f35e9f647.loan/1R52/0u4pYTz_/ExM/AI/4f/XM8U/L/d/g False 1
Fn
Send HTTP Request headers = Connection: close , url = 330f35e9f647.loan/1R52/0u4pYTz_/ExM/AI/4f/XM8U/L/d/g True 1
Fn
Data
Query HTTP Info flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 True 1
Fn
Data
Read Response size = 4096, size_out = 192 True 1
Fn
Data
Read Response size = 4096, size_out = 0 True 1
Fn
Close Session - True 4
Fn
HTTP Session #5
+
Information Value
User Agent Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Server Name 330f35e9f647.loan
Server Port 443
Data Sent 0.67 KB (690 bytes)
Data Received 0.19 KB (196 bytes)
Operations
Operation Additional Information Success Count Logfile
Open Session user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729), access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = HTTP, server_name = 330f35e9f647.loan, server_port = 443 True 1
Fn
Open HTTP Request http_verb = POST, http_version = HTTP 1.1, target_resource = /Ydqt/uth/tJ1TJV1Vo/FcOR/W_NPMA, accept_types = 84246528, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_HYPERLINK, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Send HTTP Request headers = Connection: close , url = 330f35e9f647.loan/Ydqt/uth/tJ1TJV1Vo/FcOR/W_NPMA False 1
Fn
Send HTTP Request headers = Connection: close , url = 330f35e9f647.loan/Ydqt/uth/tJ1TJV1Vo/FcOR/W_NPMA True 1
Fn
Data
Query HTTP Info flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 True 1
Fn
Data
Read Response size = 4096, size_out = 192 True 1
Fn
Data
Read Response size = 4096, size_out = 0 True 1
Fn
Close Session - True 21
Fn
HTTP Session #6
+
Information Value
User Agent Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Server Name 330f35e9f647.loan
Server Port 443
Data Sent 0.68 KB (698 bytes)
Data Received 0.19 KB (196 bytes)
Operations
Operation Additional Information Success Count Logfile
Open Session user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729), access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = HTTP, server_name = 330f35e9f647.loan, server_port = 443 True 1
Fn
Open HTTP Request http_verb = POST, http_version = HTTP 1.1, target_resource = /OLKU5tAB/rPB/XBjjZZ2/N-Pfmw/N-N_Bg, accept_types = 84246528, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_HYPERLINK, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Send HTTP Request headers = Connection: close , url = 330f35e9f647.loan/OLKU5tAB/rPB/XBjjZZ2/N-Pfmw/N-N_Bg False 1
Fn
Send HTTP Request headers = Connection: close , url = 330f35e9f647.loan/OLKU5tAB/rPB/XBjjZZ2/N-Pfmw/N-N_Bg True 1
Fn
Data
Query HTTP Info flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 True 1
Fn
Data
Read Response size = 4096, size_out = 192 True 1
Fn
Data
Read Response size = 4096, size_out = 0 True 1
Fn
Close Session - True 4
Fn
HTTP Session #7
+
Information Value
User Agent Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Server Name 330f35e9f647.loan
Server Port 443
Data Sent 0.68 KB (692 bytes)
Data Received 0.19 KB (196 bytes)
Operations
Operation Additional Information Success Count Logfile
Open Session user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729), access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = HTTP, server_name = 330f35e9f647.loan, server_port = 443 True 1
Fn
Open HTTP Request http_verb = POST, http_version = HTTP 1.1, target_resource = /BaoB/o/d1zEU_M/SWNz/EN/2nQPZRBg, accept_types = 84246528, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_HYPERLINK, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Send HTTP Request headers = Connection: close , url = 330f35e9f647.loan/BaoB/o/d1zEU_M/SWNz/EN/2nQPZRBg False 1
Fn
Send HTTP Request headers = Connection: close , url = 330f35e9f647.loan/BaoB/o/d1zEU_M/SWNz/EN/2nQPZRBg True 1
Fn
Data
Query HTTP Info flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 True 1
Fn
Data
Read Response size = 4096, size_out = 192 True 1
Fn
Data
Read Response size = 4096, size_out = 0 True 1
Fn
Close Session - True 21
Fn
HTTP Session #8
+
Information Value
User Agent Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Server Name 330f35e9f647.loan
Server Port 443
Data Sent 0.68 KB (696 bytes)
Data Received 0.09 KB (92 bytes)
Operations
Operation Additional Information Success Count Logfile
Open Session user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729), access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = HTTP, server_name = 330f35e9f647.loan, server_port = 443 True 1
Fn
Open HTTP Request http_verb = POST, http_version = HTTP 1.1, target_resource = /De1Yth/p9kt/Cn/nFYkQAKMa/NRvIPHQ/, accept_types = 84246528, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_HYPERLINK, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Send HTTP Request headers = Connection: close , url = 330f35e9f647.loan/De1Yth/p9kt/Cn/nFYkQAKMa/NRvIPHQ/ False 1
Fn
Send HTTP Request headers = Connection: close , url = 330f35e9f647.loan/De1Yth/p9kt/Cn/nFYkQAKMa/NRvIPHQ/ True 1
Fn
Data
Query HTTP Info flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 True 1
Fn
Data
Read Response size = 4096, size_out = 88 True 1
Fn
Data
Read Response size = 4096, size_out = 0 True 1
Fn
Close Session - True 4
Fn
HTTP Session #9
+
Information Value
User Agent Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Server Name 330f35e9f647.loan
Server Port 443
Data Sent 0.68 KB (694 bytes)
Data Received 391.50 KB (400900 bytes)
Operations
Operation Additional Information Success Count Logfile
Open Session user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729), access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = HTTP, server_name = 330f35e9f647.loan, server_port = 443 True 1
Fn
Open HTTP Request http_verb = POST, http_version = HTTP 1.1, target_resource = /VTNb4H/t/ehSMTnlcHV_E4at/VMNw/Jg, accept_types = 84246528, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_HYPERLINK, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Send HTTP Request headers = Connection: close , url = 330f35e9f647.loan/VTNb4H/t/ehSMTnlcHV_E4at/VMNw/Jg False 1
Fn
Send HTTP Request headers = Connection: close , url = 330f35e9f647.loan/VTNb4H/t/ehSMTnlcHV_E4at/VMNw/Jg True 1
Fn
Data
Query HTTP Info flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 3
Fn
Data
Read Response size = 4096, size_out = 3883 True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 12
Fn
Data
Read Response size = 4096, size_out = 4087 True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 15
Fn
Data
Read Response size = 4096, size_out = 4087 True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 15
Fn
Data
Read Response size = 4096, size_out = 4087 True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 23
Fn
Data
Read Response size = 4096, size_out = 4087 True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 24
Fn
Data
Read Response size = 4096, size_out = 3833 True 1
Fn
Data
Read Response size = 4096, size_out = 0 True 1
Fn
Close Session - True 21
Fn
HTTP Session #10
+
Information Value
User Agent Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Server Name 330f35e9f647.loan
Server Port 443
Data Sent 0.69 KB (704 bytes)
Data Received 487.75 KB (499460 bytes)
Operations
Operation Additional Information Success Count Logfile
Open Session user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729), access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = HTTP, server_name = 330f35e9f647.loan, server_port = 443 True 1
Fn
Open HTTP Request http_verb = POST, http_version = HTTP 1.1, target_resource = /YrhHB3/us5/0/G0-ef1/NZ/O/fDWW/-V/WDA/, accept_types = 84246528, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_HYPERLINK, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Send HTTP Request headers = Connection: close , url = 330f35e9f647.loan/YrhHB3/us5/0/G0-ef1/NZ/O/fDWW/-V/WDA/ False 1
Fn
Send HTTP Request headers = Connection: close , url = 330f35e9f647.loan/YrhHB3/us5/0/G0-ef1/NZ/O/fDWW/-V/WDA/ True 1
Fn
Data
Query HTTP Info flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 3
Fn
Data
Read Response size = 4096, size_out = 3883 True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 12
Fn
Data
Read Response size = 4096, size_out = 4087 True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 15
Fn
Data
Read Response size = 4096, size_out = 4087 True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 15
Fn
Data
Read Response size = 4096, size_out = 4087 True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 23
Fn
Data
Read Response size = 4096, size_out = 4088 True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 7
Fn
Data
Read Response size = 4096, size_out = 4087 True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 41
Fn
Data
Read Response size = 4096, size_out = 1 True 1
Fn
Data
Read Response size = 4096, size_out = 0 True 1
Fn
Close Session - True 21
Fn
HTTP Session #11
+
Information Value
User Agent Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Server Name 330f35e9f647.loan
Server Port 443
Data Sent 0.69 KB (702 bytes)
Data Received 21.94 KB (22468 bytes)
Operations
Operation Additional Information Success Count Logfile
Open Session user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729), access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = HTTP, server_name = 330f35e9f647.loan, server_port = 443 True 1
Fn
Open HTTP Request http_verb = POST, http_version = HTTP 1.1, target_resource = /ywhAhCZ/mst0E/m/Xuf/FhGG/fO/NQ/c1HMw, accept_types = 84246528, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_HYPERLINK, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Send HTTP Request headers = Connection: close , url = 330f35e9f647.loan/ywhAhCZ/mst0E/m/Xuf/FhGG/fO/NQ/c1HMw False 1
Fn
Send HTTP Request headers = Connection: close , url = 330f35e9f647.loan/ywhAhCZ/mst0E/m/Xuf/FhGG/fO/NQ/c1HMw True 1
Fn
Data
Query HTTP Info flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 3
Fn
Data
Read Response size = 4096, size_out = 3883 True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 1
Fn
Data
Read Response size = 4096, size_out = 2197 True 1
Fn
Data
Read Response size = 4096, size_out = 0 True 1
Fn
Close Session - True 21
Fn
HTTP Session #12
+
Information Value
User Agent Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Server Name 330f35e9f647.loan
Server Port 443
Data Sent 0.67 KB (688 bytes)
Data Received 35.19 KB (36036 bytes)
Operations
Operation Additional Information Success Count Logfile
Open Session user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729), access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = HTTP, server_name = 330f35e9f647.loan, server_port = 443 True 1
Fn
Open HTTP Request http_verb = POST, http_version = HTTP 1.1, target_resource = /aV1M3/guotHj7McBB8QtOzM9oNJ/Q, accept_types = 84246528, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_HYPERLINK, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Send HTTP Request headers = Connection: close , url = 330f35e9f647.loan/aV1M3/guotHj7McBB8QtOzM9oNJ/Q False 1
Fn
Send HTTP Request headers = Connection: close , url = 330f35e9f647.loan/aV1M3/guotHj7McBB8QtOzM9oNJ/Q True 1
Fn
Data
Query HTTP Info flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 3
Fn
Data
Read Response size = 4096, size_out = 3883 True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 4
Fn
Data
Read Response size = 4096, size_out = 3477 True 1
Fn
Data
Read Response size = 4096, size_out = 0 True 1
Fn
Close Session - True 21
Fn
HTTP Session #13
+
Information Value
User Agent Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Server Name 330f35e9f647.loan
Server Port 443
Data Sent 0.69 KB (704 bytes)
Data Received 0.19 KB (196 bytes)
Operations
Operation Additional Information Success Count Logfile
Open Session user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729), access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = HTTP, server_name = 330f35e9f647.loan, server_port = 443 True 1
Fn
Open HTTP Request http_verb = POST, http_version = HTTP 1.1, target_resource = /gyRVM2W/hM/VOBU/C/fc/UZI/I-So/MMBZP/Q, accept_types = 84246528, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_HYPERLINK, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Send HTTP Request headers = Connection: close , url = 330f35e9f647.loan/gyRVM2W/hM/VOBU/C/fc/UZI/I-So/MMBZP/Q False 1
Fn
Send HTTP Request headers = Connection: close , url = 330f35e9f647.loan/gyRVM2W/hM/VOBU/C/fc/UZI/I-So/MMBZP/Q True 1
Fn
Data
Query HTTP Info flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 True 1
Fn
Data
Read Response size = 4096, size_out = 192 True 1
Fn
Data
Read Response size = 4096, size_out = 0 True 1
Fn
Close Session - True 21
Fn
HTTP Session #14
+
Information Value
User Agent Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Server Name 330f35e9f647.loan
Server Port 443
Data Sent 0.68 KB (698 bytes)
Data Received 0.19 KB (196 bytes)
Operations
Operation Additional Information Success Count Logfile
Open Session user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729), access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = HTTP, server_name = 330f35e9f647.loan, server_port = 443 True 1
Fn
Open HTTP Request http_verb = POST, http_version = HTTP 1.1, target_resource = /6puLAJKud/1c/xpH0zn/bVRVR8KQTtZ0Dw, accept_types = 84246528, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_HYPERLINK, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Send HTTP Request headers = Connection: close , url = 330f35e9f647.loan/6puLAJKud/1c/xpH0zn/bVRVR8KQTtZ0Dw False 1
Fn
Send HTTP Request headers = Connection: close , url = 330f35e9f647.loan/6puLAJKud/1c/xpH0zn/bVRVR8KQTtZ0Dw True 1
Fn
Data
Query HTTP Info flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 True 1
Fn
Data
Read Response size = 4096, size_out = 192 True 1
Fn
Data
Read Response size = 4096, size_out = 0 True 1
Fn
Close Session - True 21
Fn
HTTP Session #15
+
Information Value
User Agent Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Server Name 330f35e9f647.loan
Server Port 443
Data Sent 0.67 KB (684 bytes)
Data Received 0.09 KB (92 bytes)
Operations
Operation Additional Information Success Count Logfile
Open Session user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729), access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = HTTP, server_name = 330f35e9f647.loan, server_port = 443 True 1
Fn
Open HTTP Request http_verb = POST, http_version = HTTP 1.1, target_resource = /yl/mtBlP3TBX01/IHcuJe/_tHKA, accept_types = 84246528, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_HYPERLINK, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Send HTTP Request headers = Connection: close , url = 330f35e9f647.loan/yl/mtBlP3TBX01/IHcuJe/_tHKA False 1
Fn
Send HTTP Request headers = Connection: close , url = 330f35e9f647.loan/yl/mtBlP3TBX01/IHcuJe/_tHKA True 1
Fn
Data
Query HTTP Info flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 True 1
Fn
Data
Read Response size = 4096, size_out = 88 True 1
Fn
Data
Read Response size = 4096, size_out = 0 True 1
Fn
Close Session - True 21
Fn
HTTP Session #16
+
Information Value
User Agent Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Server Name 330f35e9f647.loan
Server Port 443
Data Sent 0.68 KB (696 bytes)
Data Received 0.19 KB (196 bytes)
Operations
Operation Additional Information Success Count Logfile
Open Session user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729), access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = HTTP, server_name = 330f35e9f647.loan, server_port = 443 True 1
Fn
Open HTTP Request http_verb = POST, http_version = HTTP 1.1, target_resource = /PlKl8Vi16/s9BXP/zX7TxAHId6ubq9oLQ, accept_types = 84246528, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_HYPERLINK, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Send HTTP Request headers = Connection: close , url = 330f35e9f647.loan/PlKl8Vi16/s9BXP/zX7TxAHId6ubq9oLQ False 1
Fn
Send HTTP Request headers = Connection: close , url = 330f35e9f647.loan/PlKl8Vi16/s9BXP/zX7TxAHId6ubq9oLQ True 1
Fn
Data
Query HTTP Info flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 True 1
Fn
Data
Read Response size = 4096, size_out = 192 True 1
Fn
Data
Read Response size = 4096, size_out = 0 True 1
Fn
Close Session - True 21
Fn
HTTP Session #17
+
Information Value
User Agent Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Server Name 330f35e9f647.loan
Server Port 443
Data Sent 0.68 KB (694 bytes)
Data Received 0.19 KB (196 bytes)
Operations
Operation Additional Information Success Count Logfile
Open Session user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729), access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = HTTP, server_name = 330f35e9f647.loan, server_port = 443 True 1
Fn
Open HTTP Request http_verb = POST, http_version = HTTP 1.1, target_resource = /4jfU08/19Z6B/j2VEkt/XJILd/Nv1YEQ, accept_types = 84246528, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_HYPERLINK, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Send HTTP Request headers = Connection: close , url = 330f35e9f647.loan/4jfU08/19Z6B/j2VEkt/XJILd/Nv1YEQ False 1
Fn
Send HTTP Request headers = Connection: close , url = 330f35e9f647.loan/4jfU08/19Z6B/j2VEkt/XJILd/Nv1YEQ True 1
Fn
Data
Query HTTP Info flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 True 1
Fn
Data
Read Response size = 4096, size_out = 192 True 1
Fn
Data
Read Response size = 4096, size_out = 0 True 1
Fn
Close Session - True 21
Fn
HTTP Session #18
+
Information Value
User Agent Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Server Name 330f35e9f647.loan
Server Port 443
Data Sent 0.67 KB (688 bytes)
Data Received 0.19 KB (196 bytes)
Operations
Operation Additional Information Success Count Logfile
Open Session user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729), access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = HTTP, server_name = 330f35e9f647.loan, server_port = 443 True 1
Fn
Open HTTP Request http_verb = POST, http_version = HTTP 1.1, target_resource = /qE/kvltF/nzoV2/RANMO/gc9JP/AQ, accept_types = 84246528, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_HYPERLINK, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Send HTTP Request headers = Connection: close , url = 330f35e9f647.loan/qE/kvltF/nzoV2/RANMO/gc9JP/AQ False 1
Fn
Send HTTP Request headers = Connection: close , url = 330f35e9f647.loan/qE/kvltF/nzoV2/RANMO/gc9JP/AQ True 1
Fn
Data
Query HTTP Info flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 True 1
Fn
Data
Read Response size = 4096, size_out = 192 True 1
Fn
Data
Read Response size = 4096, size_out = 0 True 1
Fn
Close Session - True 21
Fn
HTTP Session #19
+
Information Value
User Agent Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Server Name 330f35e9f647.loan
Server Port 443
Data Sent 0.68 KB (692 bytes)
Data Received 0.19 KB (196 bytes)
Operations
Operation Additional Information Success Count Logfile
Open Session user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729), access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = HTTP, server_name = 330f35e9f647.loan, server_port = 443 True 1
Fn
Open HTTP Request http_verb = POST, http_version = HTTP 1.1, target_resource = /DStLW/p-9oH1rpd/VV9/Jva2/dttpAA, accept_types = 84246528, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_HYPERLINK, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Send HTTP Request headers = Connection: close , url = 330f35e9f647.loan/DStLW/p-9oH1rpd/VV9/Jva2/dttpAA False 1
Fn
Send HTTP Request headers = Connection: close , url = 330f35e9f647.loan/DStLW/p-9oH1rpd/VV9/Jva2/dttpAA True 1
Fn
Data
Query HTTP Info flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 True 1
Fn
Data
Read Response size = 4096, size_out = 192 True 1
Fn
Data
Read Response size = 4096, size_out = 0 True 1
Fn
Close Session - True 21
Fn
HTTP Session #20
+
Information Value
User Agent Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Server Name 330f35e9f647.loan
Server Port 443
Data Sent 0.68 KB (692 bytes)
Data Received 0.17 KB (176 bytes)
Operations
Operation Additional Information Success Count Logfile
Open Session user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729), access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = HTTP, server_name = 330f35e9f647.loan, server_port = 443 True 1
Fn
Open HTTP Request http_verb = POST, http_version = HTTP 1.1, target_resource = /3VIs/0OpV/I/D77b/1ICJ_uWMcF3N/w, accept_types = 84246528, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_HYPERLINK, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Send HTTP Request headers = Connection: close , url = 330f35e9f647.loan/3VIs/0OpV/I/D77b/1ICJ_uWMcF3N/w False 1
Fn
Send HTTP Request headers = Connection: close , url = 330f35e9f647.loan/3VIs/0OpV/I/D77b/1ICJ_uWMcF3N/w True 1
Fn
Data
Query HTTP Info flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 True 1
Fn
Data
Read Response size = 4096, size_out = 172 True 1
Fn
Data
Read Response size = 4096, size_out = 0 True 1
Fn
Close Session - True 21
Fn
HTTP Session #21
+
Information Value
User Agent Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Server Name 330f35e9f647.loan
Server Port 443
Data Sent 0.67 KB (690 bytes)
Data Received 0.17 KB (176 bytes)
Operations
Operation Additional Information Success Count Logfile
Open Session user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729), access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = HTTP, server_name = 330f35e9f647.loan, server_port = 443 True 1
Fn
Open HTTP Request http_verb = POST, http_version = HTTP 1.1, target_resource = /Syy/sMVlAHTUdV/hI/I/sucUe/5HFw, accept_types = 84246528, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_HYPERLINK, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Send HTTP Request headers = Connection: close , url = 330f35e9f647.loan/Syy/sMVlAHTUdV/hI/I/sucUe/5HFw False 1
Fn
Send HTTP Request headers = Connection: close , url = 330f35e9f647.loan/Syy/sMVlAHTUdV/hI/I/sucUe/5HFw True 1
Fn
Data
Query HTTP Info flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 True 1
Fn
Data
Read Response size = 4096, size_out = 172 True 1
Fn
Data
Read Response size = 4096, size_out = 0 True 1
Fn
Close Session - True 21
Fn
HTTP Session #22
+
Information Value
User Agent Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Server Name 330f35e9f647.loan
Server Port 443
Data Sent 0.68 KB (698 bytes)
Data Received 0.19 KB (196 bytes)
Operations
Operation Additional Information Success Count Logfile
Open Session user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729), access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = HTTP, server_name = 330f35e9f647.loan, server_port = 443 True 1
Fn
Open HTTP Request http_verb = POST, http_version = HTTP 1.1, target_resource = /eCf57FZh/hv9/6ZjrrfElUMtT/QNd/FkLA, accept_types = 84246528, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_HYPERLINK, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Send HTTP Request headers = Connection: close , url = 330f35e9f647.loan/eCf57FZh/hv9/6ZjrrfElUMtT/QNd/FkLA False 1
Fn
Send HTTP Request headers = Connection: close , url = 330f35e9f647.loan/eCf57FZh/hv9/6ZjrrfElUMtT/QNd/FkLA True 1
Fn
Data
Query HTTP Info flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 True 1
Fn
Data
Read Response size = 4096, size_out = 192 True 1
Fn
Data
Read Response size = 4096, size_out = 0 True 1
Fn
Close Session - True 21
Fn
HTTP Session #23
+
Information Value
User Agent Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Server Name 330f35e9f647.loan
Server Port 443
Data Sent 0.69 KB (710 bytes)
Data Received 0.19 KB (196 bytes)
Operations
Operation Additional Information Success Count Logfile
Open Session user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729), access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = HTTP, server_name = 330f35e9f647.loan, server_port = 443 True 1
Fn
Open HTTP Request http_verb = POST, http_version = HTTP 1.1, target_resource = /5TGta2dCc5/1uhbJ2/y/f/QmJSRI/e/xRe/N/fdg, accept_types = 84246528, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_HYPERLINK, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Send HTTP Request headers = Connection: close , url = 330f35e9f647.loan/5TGta2dCc5/1uhbJ2/y/f/QmJSRI/e/xRe/N/fdg False 1
Fn
Send HTTP Request headers = Connection: close , url = 330f35e9f647.loan/5TGta2dCc5/1uhbJ2/y/f/QmJSRI/e/xRe/N/fdg True 1
Fn
Data
Query HTTP Info flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 True 1
Fn
Data
Read Response size = 4096, size_out = 192 True 1
Fn
Data
Read Response size = 4096, size_out = 0 True 1
Fn
Close Session - True 21
Fn
HTTP Session #24
+
Information Value
User Agent Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Server Name 330f35e9f647.loan
Server Port 443
Data Sent 0.68 KB (692 bytes)
Data Received 0.19 KB (196 bytes)
Operations
Operation Additional Information Success Count Logfile
Open Session user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729), access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = HTTP, server_name = 330f35e9f647.loan, server_port = 443 True 1
Fn
Open HTTP Request http_verb = POST, http_version = HTTP 1.1, target_resource = /jypPt/ic/VsA3/n/HX1FhBdiccsdKLg, accept_types = 84246528, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_HYPERLINK, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Send HTTP Request headers = Connection: close , url = 330f35e9f647.loan/jypPt/ic/VsA3/n/HX1FhBdiccsdKLg False 1
Fn
Send HTTP Request headers = Connection: close , url = 330f35e9f647.loan/jypPt/ic/VsA3/n/HX1FhBdiccsdKLg True 1
Fn
Data
Query HTTP Info flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 True 1
Fn
Data
Read Response size = 4096, size_out = 192 True 1
Fn
Data
Read Response size = 4096, size_out = 0 True 1
Fn
Close Session - True 21
Fn
HTTP Session #25
+
Information Value
User Agent Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Server Name 330f35e9f647.loan
Server Port 443
Data Sent 0.69 KB (702 bytes)
Data Received 0.19 KB (196 bytes)
Operations
Operation Additional Information Success Count Logfile
Open Session user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729), access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = HTTP, server_name = 330f35e9f647.loan, server_port = 443 True 1
Fn
Open HTTP Request http_verb = POST, http_version = HTTP 1.1, target_resource = /ddDmp7/h/9/hY/Pn/2aQkV1HML/S/Zv/N6KQ, accept_types = 84246528, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_HYPERLINK, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Send HTTP Request headers = Connection: close , url = 330f35e9f647.loan/ddDmp7/h/9/hY/Pn/2aQkV1HML/S/Zv/N6KQ False 1
Fn
Send HTTP Request headers = Connection: close , url = 330f35e9f647.loan/ddDmp7/h/9/hY/Pn/2aQkV1HML/S/Zv/N6KQ True 1
Fn
Data
Query HTTP Info flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 True 1
Fn
Data
Read Response size = 4096, size_out = 192 True 1
Fn
Data
Read Response size = 4096, size_out = 0 True 1
Fn
Close Session - True 21
Fn
HTTP Session #26
+
Information Value
User Agent Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Server Name 330f35e9f647.loan
Server Port 443
Data Sent 0.67 KB (688 bytes)
Data Received 0.09 KB (92 bytes)
Operations
Operation Additional Information Success Count Logfile
Open Session user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729), access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = HTTP, server_name = 330f35e9f647.loan, server_port = 443 True 1
Fn
Open HTTP Request http_verb = POST, http_version = HTTP 1.1, target_resource = /zrx/mc5kKX_VXFNJC8/Cd/eO/VGPg, accept_types = 84246528, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_HYPERLINK, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Send HTTP Request headers = Connection: close , url = 330f35e9f647.loan/zrx/mc5kKX_VXFNJC8/Cd/eO/VGPg False 1
Fn
Send HTTP Request headers = Connection: close , url = 330f35e9f647.loan/zrx/mc5kKX_VXFNJC8/Cd/eO/VGPg True 1
Fn
Data
Query HTTP Info flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 True 1
Fn
Data
Read Response size = 4096, size_out = 88 True 1
Fn
Data
Read Response size = 4096, size_out = 0 True 1
Fn
Close Session - True 21
Fn
Process #17: svchost.exe
(Host: 246, Network: 0)
+
Information Value
ID #17
File Name c:\windows\syswow64\svchost.exe
Command Line C:\Windows\SysWOW64\svchost.exe -k netsvcs
Initial Working Directory C:\Users\CIiHmnxMn6Ps\AppData\Roaming\
Monitor Start Time: 00:05:05, Reason: Child Process
Unmonitor End Time: 00:15:27, Reason: Terminated by Timeout
Monitor Duration 00:10:22
OS Process Information
+
Information Value
PID 0x3d0
Parent PID 0x1a4 (c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\containers.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username LHNIWSJ\CIiHmnxMn6Ps
Groups
  • LHNIWSJ\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Local account and member of Administrators group (USE_FOR_DENY_ONLY)
  • BUILTIN\Administrators (USE_FOR_DENY_ONLY)
  • BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Local account (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Logon Session 00000000:0001400a (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID)
  • LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x F8C
0x 2B0
0x DC4
0x F4
0x CAC
0x 8CC
0x CC4
0x CA0
0x CB0
0x 740
0x 2C4
0x ED4
0x B84
0x D10
Region
+
Name Start VA End VA Type Permissions Monitored Dump YARA Match Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False
private_0x0000000000010000 0x00010000 0x00013fff Private Memory Readable, Writable True False False
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory Readable, Writable True False False
private_0x0000000000030000 0x00030000 0x00031fff Private Memory Readable, Writable True False False
svchost.exe.mui 0x00030000 0x00030fff Memory Mapped File Readable False False False
pagefile_0x0000000000040000 0x00040000 0x00053fff Pagefile Backed Memory Readable True False False
private_0x0000000000060000 0x00060000 0x0009ffff Private Memory Readable, Writable True False False
pagefile_0x00000000000a0000 0x000a0000 0x000a3fff Pagefile Backed Memory Readable True False False
pagefile_0x00000000000b0000 0x000b0000 0x000b0fff Pagefile Backed Memory Readable True False False
svchost.exe 0x000c0000 0x000cafff Memory Mapped File Readable, Writable, Executable False False False
pagefile_0x00000000000d0000 0x000d0000 0x040cffff Pagefile Backed Memory - True False False
private_0x00000000040d0000 0x040d0000 0x0410ffff Private Memory Readable, Writable True False False
private_0x0000000004110000 0x04110000 0x04111fff Private Memory Readable, Writable True False False
private_0x0000000004120000 0x04120000 0x0413ffff Private Memory Readable, Writable, Executable True False False
private_0x0000000004140000 0x04140000 0x0417ffff Private Memory Readable, Writable True False False
private_0x0000000004180000 0x04180000 0x041bffff Private Memory Readable, Writable True False False
locale.nls 0x041c0000 0x0427dfff Memory Mapped File Readable False False False
imm32.dll 0x04280000 0x042a9fff Memory Mapped File Readable False False False
private_0x0000000004280000 0x04280000 0x04280fff Private Memory Readable, Writable True False False
private_0x0000000004290000 0x04290000 0x04290fff Private Memory Readable, Writable True False False
private_0x00000000042a0000 0x042a0000 0x042a0fff Private Memory Readable, Writable, Executable True False False
private_0x00000000042b0000 0x042b0000 0x042b6fff Private Memory Readable, Writable True False False
private_0x00000000042c0000 0x042c0000 0x042fffff Private Memory Readable, Writable True False False
private_0x00000000042c0000 0x042c0000 0x042c5fff Private Memory Readable, Writable, Executable True False False
private_0x00000000042e0000 0x042e0000 0x042e3fff Private Memory Readable, Writable True False False
private_0x0000000004300000 0x04300000 0x043fffff Private Memory Readable, Writable True False False
private_0x0000000004400000 0x04400000 0x044fffff Private Memory Readable, Writable True False False
private_0x0000000004500000 0x04500000 0x0453ffff Private Memory Readable, Writable True False False
pagefile_0x0000000004540000 0x04540000 0x046c7fff Pagefile Backed Memory Readable True False False
private_0x00000000046d0000 0x046d0000 0x048c4fff Private Memory Readable, Writable True False False
pagefile_0x00000000046d0000 0x046d0000 0x04850fff Pagefile Backed Memory Readable True False False
private_0x0000000004860000 0x04860000 0x04860fff Private Memory Readable, Writable True False False
private_0x0000000004870000 0x04870000 0x04873fff Private Memory Readable, Writable True False False
private_0x0000000004880000 0x04880000 0x048bffff Private Memory Readable, Writable True False False
private_0x00000000048c0000 0x048c0000 0x048c4fff Private Memory Readable, Writable True False False
private_0x00000000048d0000 0x048d0000 0x04acffff Private Memory Readable, Writable True False False
private_0x00000000048d0000 0x048d0000 0x048e0fff Private Memory Readable, Writable True False False
private_0x0000000004900000 0x04900000 0x049fffff Private Memory Readable, Writable True False False
pagefile_0x0000000004a00000 0x04a00000 0x05dfffff Pagefile Backed Memory Readable True False False
private_0x0000000005e00000 0x05e00000 0x05efffff Private Memory Readable, Writable True False False
sortdefault.nls 0x05f00000 0x06236fff Memory Mapped File Readable False False False
private_0x0000000006240000 0x06240000 0x0633ffff Private Memory Readable, Writable True False False
private_0x0000000006340000 0x06340000 0x0637ffff Private Memory Readable, Writable True False False
private_0x0000000006380000 0x06380000 0x0647ffff Private Memory Readable, Writable True False False
private_0x0000000006480000 0x06480000 0x064bffff Private Memory Readable, Writable True False False
private_0x00000000064c0000 0x064c0000 0x065bffff Private Memory Readable, Writable True False False
private_0x00000000065c0000 0x065c0000 0x065fffff Private Memory Readable, Writable True False False
private_0x0000000006600000 0x06600000 0x066fffff Private Memory Readable, Writable True False False
private_0x0000000006700000 0x06700000 0x0673ffff Private Memory Readable, Writable True False False
private_0x0000000006740000 0x06740000 0x0683ffff Private Memory Readable, Writable True False False
private_0x0000000006840000 0x06840000 0x0687ffff Private Memory Readable, Writable True False False
private_0x0000000006880000 0x06880000 0x0697ffff Private Memory Readable, Writable True False False
private_0x0000000006980000 0x06980000 0x069bffff Private Memory Readable, Writable True False False
private_0x00000000069c0000 0x069c0000 0x069fffff Private Memory Readable, Writable True False False
private_0x0000000006a00000 0x06a00000 0x06afffff Private Memory Readable, Writable True False False
private_0x0000000006b00000 0x06b00000 0x06bfffff Private Memory Readable, Writable True False False
private_0x0000000006c00000 0x06c00000 0x06cfffff Private Memory Readable, Writable True False False
private_0x0000000006d00000 0x06d00000 0x06ea4fff Private Memory Readable, Writable True False False
private_0x0000000006eb0000 0x06eb0000 0x070affff Private Memory Readable, Writable True False False
private_0x0000000006f00000 0x06f00000 0x06ffffff Private Memory Readable, Writable True False False
wow64cpu.dll 0x581b0000 0x581b7fff Memory Mapped File Readable, Writable, Executable False False False
wow64.dll 0x581c0000 0x5820efff Memory Mapped File Readable, Writable, Executable False False False
wow64win.dll 0x58210000 0x58282fff Memory Mapped File Readable, Writable, Executable False False False
cabinet.dll 0x73a60000 0x73a81fff Memory Mapped File Readable, Writable, Executable False False False
ntmarta.dll 0x74470000 0x74497fff Memory Mapped File Readable, Writable, Executable False False False
rsaenh.dll 0x744a0000 0x744cefff Memory Mapped File Readable, Writable, Executable False False False
cryptsp.dll 0x744d0000 0x744e2fff Memory Mapped File Readable, Writable, Executable False False False
uxtheme.dll 0x74530000 0x745a4fff Memory Mapped File Readable, Writable, Executable False False False
secur32.dll 0x745b0000 0x745b9fff Memory Mapped File Readable, Writable, Executable False False False
bcrypt.dll 0x74610000 0x7462afff Memory Mapped File Readable, Writable, Executable False False False
bcryptprimitives.dll 0x74840000 0x74898fff Memory Mapped File Readable, Writable, Executable False False False
cryptbase.dll 0x748a0000 0x748a9fff Memory Mapped File Readable, Writable, Executable False False False
sspicli.dll 0x748b0000 0x748cdfff Memory Mapped File Readable, Writable, Executable False False False
kernel32.dll 0x74990000 0x74a7ffff Memory Mapped File Readable, Writable, Executable False False False
rpcrt4.dll 0x74a80000 0x74b2bfff Memory Mapped File Readable, Writable, Executable False False False
gdi32.dll 0x74d10000 0x74e5cfff Memory Mapped File Readable, Writable, Executable False False False
sechost.dll 0x753a0000 0x753e2fff Memory Mapped File Readable, Writable, Executable False False False
msvcrt.dll 0x753f0000 0x754adfff Memory Mapped File Readable, Writable, Executable False False False
psapi.dll 0x75780000 0x75785fff Memory Mapped File Readable, Writable, Executable False False False
advapi32.dll 0x757f0000 0x7586afff Memory Mapped File Readable, Writable, Executable False False False
combase.dll 0x75a90000 0x75c49fff Memory Mapped File Readable, Writable, Executable False False False
imm32.dll 0x75c60000 0x75c8afff Memory Mapped File Readable, Writable, Executable False False False
user32.dll 0x75c90000 0x75dcffff Memory Mapped File Readable, Writable, Executable False False False
kernelbase.dll 0x75e70000 0x75fe5fff Memory Mapped File Readable, Writable, Executable False False False
shlwapi.dll 0x77410000 0x77453fff Memory Mapped File Readable, Writable, Executable False False False
msctf.dll 0x77680000 0x7779ffff Memory Mapped File Readable, Writable, Executable False False False
ntdll.dll 0x777a0000 0x77918fff Memory Mapped File Readable, Writable, Executable False False False
private_0x000000007f5ab000 0x7f5ab000 0x7f5adfff Private Memory Readable, Writable True False False
private_0x000000007f5ae000 0x7f5ae000 0x7f5b0fff Private Memory Readable, Writable True False False
private_0x000000007f5b1000 0x7f5b1000 0x7f5b3fff Private Memory Readable, Writable True False False
private_0x000000007f5b4000 0x7f5b4000 0x7f5b6fff Private Memory Readable, Writable True False False
private_0x000000007f5b7000 0x7f5b7000 0x7f5b9fff Private Memory Readable, Writable True False False
private_0x000000007f5ba000 0x7f5ba000 0x7f5bcfff Private Memory Readable, Writable True False False
private_0x000000007f5bd000 0x7f5bd000 0x7f5bffff Private Memory Readable, Writable True False False
pagefile_0x000000007f5c0000 0x7f5c0000 0x7f6bffff Pagefile Backed Memory Readable True False False
pagefile_0x000000007f6c0000 0x7f6c0000 0x7f6e2fff Pagefile Backed Memory Readable True False False
private_0x000000007f6e3000 0x7f6e3000 0x7f6e5fff Private Memory Readable, Writable True False False
private_0x000000007f6e6000 0x7f6e6000 0x7f6e8fff Private Memory Readable, Writable True False False
private_0x000000007f6e9000 0x7f6e9000 0x7f6ebfff Private Memory Readable, Writable True False False
private_0x000000007f6ec000 0x7f6ec000 0x7f6ecfff Private Memory Readable, Writable True False False
private_0x000000007f6ef000 0x7f6ef000 0x7f6effff Private Memory Readable, Writable True False False
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False
private_0x000000007fff0000 0x7fff0000 0x7dfe18a2ffff Private Memory Readable True False False
pagefile_0x00007dfe18a30000 0x7dfe18a30000 0x7ffe18a2ffff Pagefile Backed Memory - True False False
ntdll.dll 0x7ffe18a30000 0x7ffe18bf1fff Memory Mapped File Readable, Writable, Executable False False False
private_0x00007ffe18bf2000 0x7ffe18bf2000 0x7ffffffeffff Private Memory Readable True False False
Injection Information
+
Injection Type Source Process Source Os Thread ID Injection Info Success Count Logfile
Modify Memory #13: c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\containers.exe 0x204 address = 0x4120000, size = 131072 True 1
Fn
Data
Modify Memory #13: c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\containers.exe 0x204 address = 0x413b6a4, size = 4 True 1
Fn
Data
Modify Memory #13: c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\containers.exe 0x204 address = 0x413b7c0, size = 4 True 1
Fn
Data
Modify Memory #13: c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\containers.exe 0x204 address = 0x413bdb4, size = 4 True 1
Fn
Data
Create Remote Thread #13: c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\containers.exe 0x204 address = 0x412b50c True 1
Fn
Created Files
+
Filename File Size Hash Values YARA Match Actions
c:\users\ciihmn~1\appdata\local\temp\cab7de7.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\cab7de8.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\cab7de9.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\cab7dea.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\cab7deb.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmn~1\appdata\local\temp\upd9948.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
Host Behavior
File (46)
+
Operation Filename Additional Information Success Count Logfile
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\upd9948.tmp desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\CAB7DE7.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\CAB7DE8.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\CAB7DE9.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\CAB7DEA.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\CAB7DEB.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\upd9948.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\, prefix = upd True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\cab9948.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\, prefix = cab True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\CAB7DE7.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\, prefix = CABINET True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\CAB7DE8.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\, prefix = CABINET True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\CAB7DE9.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\, prefix = CABINET True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\CAB7DEA.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\, prefix = CABINET True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\CAB7DEB.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\, prefix = CABINET True 1
Fn
Get Info C:\Users type = file_attributes True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps type = file_attributes True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData type = file_attributes True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming type = file_attributes True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia type = file_attributes True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player type = file_attributes True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com type = file_attributes True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support type = file_attributes True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer type = file_attributes True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys type = file_attributes True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix type = size, size_out = 800 True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\eckiiks type = file_attributes False 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\ufykkeb type = file_attributes False 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix type = size, size_out = 65711 True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\upd9948.tmp type = size True 1
Fn
Read C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix size = 800, size_out = 800 True 1
Fn
Data
Read C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix size = 65711, size_out = 65711 True 1
Fn
Data
Write C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix size = 1367 True 1
Fn
Data
Write C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\pgyFOAeI3.wix size = 65948 True 1
Fn
Data
Registry (37)
+
Operation Key Additional Information Success Count Logfile
Create Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi - True 1
Fn
Create Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi - True 1
Fn
Open Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi - True 1
Fn
Open Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi - True 1
Fn
Open Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi - True 2
Fn
Open Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi - True 3
Fn
Open Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi - True 4
Fn
Read Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi value_name = Uzapze, type = REG_BINARY True 2
Fn
Data
Read Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi value_name = Uzapze, type = REG_BINARY True 2
Fn
Data
Read Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi value_name = Uzapze, type = REG_BINARY True 4
Fn
Data
Read Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi value_name = Axoha, type = REG_BINARY True 2
Fn
Data
Read Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi value_name = Uzapze, type = REG_BINARY True 2
Fn
Data
Read Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi value_name = Akudfeen, type = REG_BINARY True 2
Fn
Data
Read Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi value_name = Axoha, type = REG_BINARY True 4
Fn
Data
Read Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi value_name = Uzapze, type = REG_BINARY True 2
Fn
Data
Read Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi value_name = Akudfeen, type = REG_BINARY True 2
Fn
Data
Write Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi value_name = Uzapze, size = 1776, type = REG_BINARY True 1
Fn
Data
Write Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi value_name = Uzapze, size = 1776, type = REG_BINARY True 1
Fn
Data
Module (136)
+
Operation Module Additional Information Success Count Logfile
Load KERNEL32.dll base_address = 0x74990000 True 2
Fn
Load USER32.dll base_address = 0x75c90000 True 2
Fn
Load NTDLL base_address = 0x777a0000 True 2
Fn
Load advapi32.dll base_address = 0x757f0000 True 1
Fn
Load shlwapi.dll base_address = 0x77410000 True 1
Fn
Load psapi.dll base_address = 0x75780000 True 1
Fn
Load secur32.dll base_address = 0x745b0000 True 1
Fn
Load SSPICLI base_address = 0x748b0000 True 1
Fn
Load SHLWAPI.dll base_address = 0x77410000 True 1
Fn
Load PSAPI.DLL base_address = 0x75780000 True 1
Fn
Load MSVCRT.dll base_address = 0x753f0000 True 1
Fn
Load cabinet.dll base_address = 0x73a60000 True 1
Fn
Get Handle advapi32.dll base_address = 0x0 False 1
Fn
Get Handle shlwapi.dll base_address = 0x0 False 1
Fn
Get Handle psapi.dll base_address = 0x0 False 1
Fn
Get Handle secur32.dll base_address = 0x0 False 1
Fn
Get Handle c:\windows\syswow64\svchost.exe base_address = 0xc0000 True 1
Fn
Get Filename psapi.dll process_name = c:\windows\syswow64\svchost.exe, file_name_orig = C:\Windows\SysWOW64\svchost.exe, size = 260 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InterlockedExchange, address_out = 0x749a7650 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapCreate, address_out = 0x749a9950 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapFree, address_out = 0x749a25e0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapReAlloc, address_out = 0x777dbae0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapAlloc, address_out = 0x777dda90 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapDestroy, address_out = 0x749ad940 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetProcessHeap, address_out = 0x749a7910 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InterlockedIncrement, address_out = 0x749a7520 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleHandleA, address_out = 0x749a9640 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = Sleep, address_out = 0x749a77b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LoadLibraryA, address_out = 0x749ad8d0 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LoadLibraryW, address_out = 0x749aa0b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetProcAddress, address_out = 0x749a7940 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleHandleW, address_out = 0x749a9660 True 2
Fn
Get Address c:\windows\syswow64\user32.dll function = LoadImageW, address_out = 0x75cc4500 True 2
Fn
Get Address c:\windows\syswow64\ntdll.dll function = RtlAddVectoredExceptionHandler, address_out = 0x777ff090 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = RtlInitializeCriticalSection, address_out = 0x777f95f0 True 1
Fn
Get Address c:\windows\syswow64\sspicli.dll function = GetUserNameExW, address_out = 0x748bc5f0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FreeLibrary, address_out = 0x749a98f0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GlobalLock, address_out = 0x749a1bc0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GlobalUnlock, address_out = 0x749a2a10 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = OpenProcess, address_out = 0x749a92b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThread, address_out = 0x749a9700 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentThreadId, address_out = 0x749a1b90 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TerminateThread, address_out = 0x749afcb0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLastError, address_out = 0x749a2db0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeCriticalSection, address_out = 0x777f95f0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EnterCriticalSection, address_out = 0x777e5e80 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LeaveCriticalSection, address_out = 0x777e5e00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WaitForSingleObject, address_out = 0x749b6110 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileInformationByHandle, address_out = 0x749b6350 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileSize, address_out = 0x749b6360 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WriteFile, address_out = 0x749b6590 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ReadFile, address_out = 0x749b64a0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlushFileBuffers, address_out = 0x749b62a0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetEndOfFile, address_out = 0x749b64f0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetFilePointer, address_out = 0x749b6530 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseHandle, address_out = 0x749b5f20 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLocalTime, address_out = 0x749a9a60 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FileTimeToLocalFileTime, address_out = 0x749b61c0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FileTimeToDosDateTime, address_out = 0x749b2360 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcmpiW, address_out = 0x749a7540 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcpyA, address_out = 0x749ae320 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrlenA, address_out = 0x749b3a30 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrlenW, address_out = 0x749a2d80 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTempPathA, address_out = 0x749b6410 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTempPathW, address_out = 0x749b6420 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTempFileNameA, address_out = 0x749b63f0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTempFileNameW, address_out = 0x749b6400 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = QueryDosDeviceA, address_out = 0x749cae50 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateFileA, address_out = 0x749b6170 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateFileW, address_out = 0x749b6180 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = DeleteFileA, address_out = 0x749b61a0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = DeleteFileW, address_out = 0x749b61b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CopyFileW, address_out = 0x749b67b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = MultiByteToWideChar, address_out = 0x749a2d60 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WideCharToMultiByte, address_out = 0x749a75a0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTimeFormatW, address_out = 0x749af6d0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetDateFormatW, address_out = 0x749af140 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = DisableThreadLibraryCalls, address_out = 0x749aa0d0 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = SetTimer, address_out = 0x75cacd50 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = DrawIcon, address_out = 0x75cbdc70 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = GetForegroundWindow, address_out = 0x75cc50f0 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = GetWindowTextW, address_out = 0x75cb4710 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = GetWindowTextLengthW, address_out = 0x75cb4640 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = ChangeClipboardChain, address_out = 0x75cc5eb0 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = MapVirtualKeyExW, address_out = 0x75cf4900 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = GetIconInfo, address_out = 0x75cbe6e0 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = GetRawInputData, address_out = 0x75cc87f0 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = RegisterRawInputDevices, address_out = 0x75cc8d50 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = GetKeyNameTextW, address_out = 0x75cf48f0 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = GetClipboardData, address_out = 0x75cc29b0 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = GetKeyboardState, address_out = 0x75cc54a0 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = IsClipboardFormatAvailable, address_out = 0x75cc5020 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = GetWindowThreadProcessId, address_out = 0x75caba70 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = SetClipboardViewer, address_out = 0x75cc5ec0 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = CloseClipboard, address_out = 0x75cc5a00 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = OpenClipboard, address_out = 0x75cc1770 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = CreateWindowExW, address_out = 0x75ca91c0 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = RegisterClassExW, address_out = 0x75ca8ee0 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = DefWindowProcW, address_out = 0x7781caa0 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = AttachThreadInput, address_out = 0x75cc5be0 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = PostThreadMessageW, address_out = 0x75caddc0 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = SendMessageW, address_out = 0x75ca38f0 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = DispatchMessageW, address_out = 0x75ca3e40 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = wsprintfA, address_out = 0x75cbea00 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = GetMessageW, address_out = 0x75cc3230 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = GetKeyboardLayout, address_out = 0x75caceb0 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = ToUnicodeEx, address_out = 0x75d0f4c0 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = GetCursorPos, address_out = 0x75cbdc20 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = wsprintfW, address_out = 0x75cbddf0 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = TranslateMessage, address_out = 0x75cab9d0 True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = StrStrIA, address_out = 0x7742cd10 True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathFileExistsW, address_out = 0x77428340 True 1
Fn
Get Address c:\windows\syswow64\psapi.dll function = GetProcessImageFileNameA, address_out = 0x757816e0 True 1
Fn
Get Address c:\windows\syswow64\msvcrt.dll function = _initterm, address_out = 0x75456880 True 1
Fn
Get Address c:\windows\syswow64\msvcrt.dll function = ??1type_info@@UAE@XZ, address_out = 0x75430fc0 True 1
Fn
Get Address c:\windows\syswow64\msvcrt.dll function = _onexit, address_out = 0x75447310 True 1
Fn
Get Address c:\windows\syswow64\msvcrt.dll function = __dllonexit, address_out = 0x75447230 True 1
Fn
Get Address c:\windows\syswow64\msvcrt.dll function = memset, address_out = 0x75478ca0 True 1
Fn
Get Address c:\windows\syswow64\msvcrt.dll function = memcpy, address_out = 0x754784c0 True 1
Fn
Get Address c:\windows\syswow64\msvcrt.dll function = strrchr, address_out = 0x75479620 True 1
Fn
Get Address c:\windows\syswow64\msvcrt.dll function = _strnicmp, address_out = 0x75476890 True 1
Fn
Get Address c:\windows\syswow64\msvcrt.dll function = memmove, address_out = 0x754788d0 True 1
Fn
Get Address c:\windows\syswow64\msvcrt.dll function = _wcsdup, address_out = 0x754771a0 True 1
Fn
Get Address c:\windows\syswow64\msvcrt.dll function = realloc, address_out = 0x754379b0 True 1
Fn
Get Address c:\windows\syswow64\msvcrt.dll function = malloc, address_out = 0x754378c0 True 1
Fn
Get Address c:\windows\syswow64\msvcrt.dll function = free, address_out = 0x75437700 True 1
Fn
Get Address c:\windows\syswow64\msvcrt.dll function = ??3@YAXPAX@Z, address_out = 0x75434f40 True 1
Fn
Get Address c:\windows\syswow64\msvcrt.dll function = _adjust_fdiv, address_out = 0x754a5d04 True 1
Fn
Get Address c:\windows\syswow64\cabinet.dll function = FCICreate, address_out = 0x73a6f660 True 1
Fn
Window (1)
+
Operation Window Name Additional Information Success Count Logfile
Create - class_name = gyiilcjfsgwyvovkmvmubswahvfrkihnplscfwmjvqogqesosrvejbsyldrbhcoyykylbceivebyigadixbljnhxaacgykdkauce, wndproc_parameter = 0 True 1
Fn
System (7)
+
Operation Additional Information Success Count Logfile
Sleep duration = -1 (infinite) False 2
Fn
Sleep duration = 60000 milliseconds (60.000 seconds) True 1
Fn
Get Time type = Local Time, time = 2017-11-30 14:40:01 (Local Time) True 1
Fn
Get Time type = System Time, time = 2017-11-30 03:40:01 (UTC) True 1
Fn
Get Info type = Operating System False 2
Fn
Mutex (11)
+
Operation Additional Information Success Count Logfile
Create mutex_name = 8592029A1BBD0F5EDCA2A860E613ACDB True 1
Fn
Create mutex_name = BA375714EF21E8EC8F43FB71FA3700CC True 1
Fn
Create mutex_name = 99DCC4F63896BA52D9D5D3F7098E00E5 True 1
Fn
Create mutex_name = 99DCC4F63896BA52D9D5D3F7098E00E5 True 1
Fn
Create mutex_name = ACD86ED691154353041C7827C4241C0D True 1
Fn
Create mutex_name = BA6E0713253533C2BD32E023F51DAAB1 True 1
Fn
Create mutex_name = BA375714EF21E8EC8F43FB71FA3700CC True 1
Fn
Release mutex_name = BA375714EF21E8EC8F43FB71FA3700CC True 1
Fn
Release mutex_name = 99DCC4F63896BA52D9D5D3F7098E00E5 True 1
Fn
Release mutex_name = 99DCC4F63896BA52D9D5D3F7098E00E5 True 1
Fn
Release mutex_name = BA375714EF21E8EC8F43FB71FA3700CC True 1
Fn
Function Logfile
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".


    
Screenshot
Expand-Icon
Exit-Icon
icon_left
icon_left
image