34e6ca7f...2f7e

Monitored Processes

Process Overview

ID	PID	Monitor Reason	Integrity Level	Image Name	Command Line	Origin ID
#1	0x720	Analysis Target	High (Elevated)	attacker.exe	"C:\Users\CIiHmnxMn6Ps\Desktop\Attacker.exe"	-
#2	0xf4	Child Process	High (Elevated)	cmd.exe	C:\Windows\system32\cmd.exe /c ""C:\Users\CIIHMN~1\AppData\Local\Temp\4D82\FE41.bat" "C:\Users\CIIHMN~1\AppData\Roaming\adsldraw\autoclb.exe" "C:\Users\CIIHMN~1\Desktop\Attacker.exe""	#1
#4	0x7a0	Child Process	High (Elevated)	cmd.exe	cmd /C ""C:\Users\CIIHMN~1\AppData\Roaming\adsldraw\autoclb.exe" "C:\Users\CIIHMN~1\Desktop\Attacker.exe""	#2
#5	0x318	Child Process	High (Elevated)	autoclb.exe	"C:\Users\CIIHMN~1\AppData\Roaming\adsldraw\autoclb.exe" "C:\Users\CIIHMN~1\Desktop\Attacker.exe"	#4
#6	0xb7c	Autostart	Medium	autoclb.exe	"C:\Users\CIiHmnxMn6Ps\AppData\Roaming\adsldraw\autoclb.exe"	-
#7	0x534	Child Process	Medium	svchost.exe	C:\Windows\system32\svchost.exe	#6
#8	0x824	Injection	Medium	explorer.exe	C:\Windows\Explorer.EXE	#7
#9	0x560	Child Process	Medium	cmd.exe	cmd /C "systeminfo.exe > C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin1"	#8
#11	0x848	Child Process	Medium	makecab.exe	makecab.exe /F "C:\Users\CIIHMN~1\AppData\Local\Temp\5CDD.bin"	#8
#13	0xa90	Child Process	Medium	systeminfo.exe	systeminfo.exe	#9
#19	0x8f4	Child Process	Medium	cmd.exe	cmd /C "echo -------- >> C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin1"	#8
#21	0x428	Child Process	Medium	cmd.exe	cmd /C "net view >> C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin1"	#8
#23	0x2c8	Child Process	Medium	net.exe	net view	#21
#24	0x200	Child Process	Medium	cmd.exe	cmd /C "echo -------- >> C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin1"	#8
#26	0x8cc	Child Process	Medium	cmd.exe	cmd /C "nslookup 127.0.0.1 >> C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin1"	#8
#28	0x410	Child Process	Medium	nslookup.exe	nslookup 127.0.0.1	#26
#29	0x274	Child Process	Medium	cmd.exe	cmd /C "echo -------- >> C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin1"	#8
#31	0xb18	Child Process	Medium	cmd.exe	cmd /C "tasklist.exe /SVC >> C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin1"	#8
#33	0xa3c	Child Process	Medium	tasklist.exe	tasklist.exe /SVC	#31
#34	0xbbc	Child Process	Medium	cmd.exe	cmd /C "echo -------- >> C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin1"	#8
#36	0xb00	Child Process	Medium	cmd.exe	cmd /C "driverquery.exe >> C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin1"	#8
#38	0x9a8	Child Process	Medium	driverquery.exe	driverquery.exe	#36
#39	0x8c0	Child Process	Medium	cmd.exe	cmd /C "echo -------- >> C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin1"	#8
#41	0xb6c	Child Process	Medium	cmd.exe	cmd /C "reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s >> C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin1"	#8
#43	0x534	Child Process	Medium	reg.exe	reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s	#41
#44	0x8ec	Child Process	Medium	cmd.exe	cmd /C "echo -------- >> C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin1"	#8
#46	0x3ac	Child Process	Medium	cmd.exe	cmd /U /C "type C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin1 > C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin & del C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin1"	#8
#49	0xa4c	Child Process	Medium	makecab.exe	makecab.exe /F "C:\Users\CIIHMN~1\AppData\Local\Temp\D0C5.bin"	#8

Behavior Information - Sequential View

Process #1: attacker.exe

1509

Information	Value
ID	#1
File Name	c:\users\ciihmnxmn6ps\desktop\attacker.exe
Command Line	"C:\Users\CIiHmnxMn6Ps\Desktop\Attacker.exe"
Initial Working Directory	C:\Users\CIiHmnxMn6Ps\Desktop\
Monitor	Start Time: 00:00:27, Reason: Analysis Target
Unmonitor	End Time: 00:00:55, Reason: Self Terminated
Monitor Duration	00:00:28

OS Process Information

Information	Value
PID	0x720
Parent PID	0x508 (c:\windows\explorer.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x B4C 0x 644 0x 8DC 0x AC8 0x A2C 0x 128 0x AE0 0x 7C0 0x 6B4

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	rw	-
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	rw	-
private_0x0000000000020000	0x00020000	0x00023fff	Private Memory	rw	-
private_0x0000000000030000	0x00030000	0x00030fff	Private Memory	rw	-
pagefile_0x0000000000040000	0x00040000	0x00053fff	Pagefile Backed Memory	r	-
private_0x0000000000060000	0x00060000	0x0009ffff	Private Memory	rw	-
private_0x0000000000060000	0x00060000	0x00060fff	Private Memory	rw	-
private_0x0000000000070000	0x00070000	0x00070fff	Private Memory	rw	-
private_0x0000000000080000	0x00080000	0x00080fff	Private Memory	rw	-
private_0x0000000000090000	0x00090000	0x00090fff	Private Memory	rw	-
private_0x00000000000a0000	0x000a0000	0x0019ffff	Private Memory	rw	-
private_0x00000000000a0000	0x000a0000	0x000a0fff	Private Memory	rw	-
private_0x00000000000b0000	0x000b0000	0x000b0fff	Private Memory	rw	-
private_0x00000000000c0000	0x000c0000	0x000c0fff	Private Memory	rw	-
private_0x00000000000d0000	0x000d0000	0x000d0fff	Private Memory	rw	-
private_0x00000000000e0000	0x000e0000	0x000e0fff	Private Memory	rw	-
private_0x00000000000f0000	0x000f0000	0x000f0fff	Private Memory	rw	-
private_0x0000000000100000	0x00100000	0x00100fff	Private Memory	rw	-
private_0x0000000000110000	0x00110000	0x00110fff	Private Memory	rw	-
private_0x0000000000120000	0x00120000	0x00120fff	Private Memory	rw	-
private_0x0000000000130000	0x00130000	0x00130fff	Private Memory	rw	-
private_0x0000000000140000	0x00140000	0x00140fff	Private Memory	rw	-
private_0x0000000000150000	0x00150000	0x00150fff	Private Memory	rw	-
private_0x0000000000160000	0x00160000	0x00160fff	Private Memory	rw	-
private_0x0000000000170000	0x00170000	0x00170fff	Private Memory	rw	-
private_0x0000000000180000	0x00180000	0x00180fff	Private Memory	rw	-
private_0x0000000000190000	0x00190000	0x00190fff	Private Memory	rw	-
pagefile_0x00000000001a0000	0x001a0000	0x001a3fff	Pagefile Backed Memory	r	-
pagefile_0x00000000001b0000	0x001b0000	0x001b0fff	Pagefile Backed Memory	r	-
private_0x00000000001c0000	0x001c0000	0x001c1fff	Private Memory	rw	-
locale.nls	0x001d0000	0x0028dfff	Memory Mapped File	r	-
private_0x0000000000290000	0x00290000	0x002cffff	Private Memory	rw	-
private_0x00000000002d0000	0x002d0000	0x0030ffff	Private Memory	rw	-
private_0x0000000000310000	0x00310000	0x0031ffff	Private Memory	rw	-
private_0x0000000000320000	0x00320000	0x0035ffff	Private Memory	rw	-
private_0x0000000000360000	0x00360000	0x00360fff	Private Memory	rw	-
msvfw32.dll.mui	0x00370000	0x00371fff	Memory Mapped File	r	-
private_0x0000000000380000	0x00380000	0x0038ffff	Private Memory	rw	-
private_0x0000000000390000	0x00390000	0x00393fff	Private Memory	rw	-
pagefile_0x00000000003a0000	0x003a0000	0x003a1fff	Pagefile Backed Memory	r	-
private_0x00000000003b0000	0x003b0000	0x003b0fff	Private Memory	rw	-
pagefile_0x00000000003c0000	0x003c0000	0x003c1fff	Pagefile Backed Memory	r	-
private_0x00000000003d0000	0x003d0000	0x003d0fff	Private Memory	rw	-
private_0x00000000003e0000	0x003e0000	0x003e0fff	Private Memory	rw	-
private_0x00000000003f0000	0x003f0000	0x003f0fff	Private Memory	rw	-
attacker.exe	0x00400000	0x004d0fff	Memory Mapped File	rwx	... Region Actions Download Dump
private_0x00000000004e0000	0x004e0000	0x0051ffff	Private Memory	rw	-
private_0x0000000000520000	0x00520000	0x00520fff	Private Memory	rw	-
private_0x0000000000530000	0x00530000	0x00530fff	Private Memory	rw	-
private_0x0000000000540000	0x00540000	0x00540fff	Private Memory	rw	-
private_0x0000000000550000	0x00550000	0x00550fff	Private Memory	rw	-
private_0x0000000000560000	0x00560000	0x00560fff	Private Memory	rw	-
private_0x0000000000570000	0x00570000	0x00570fff	Private Memory	rw	-
private_0x0000000000580000	0x00580000	0x0067ffff	Private Memory	rw	-
private_0x0000000000680000	0x00680000	0x0077ffff	Private Memory	rw	-
private_0x0000000000780000	0x00780000	0x0087ffff	Private Memory	rw	-
private_0x0000000000880000	0x00880000	0x0097ffff	Private Memory	rw	-
pagefile_0x0000000000980000	0x00980000	0x00b07fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000b10000	0x00b10000	0x00c90fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000ca0000	0x00ca0000	0x0209ffff	Pagefile Backed Memory	r	-
private_0x00000000020a0000	0x020a0000	0x0219ffff	Private Memory	rw	-
private_0x00000000021a0000	0x021a0000	0x021a0fff	Private Memory	rw	-
private_0x00000000021b0000	0x021b0000	0x021b0fff	Private Memory	rw	-
private_0x00000000021c0000	0x021c0000	0x021c0fff	Private Memory	rw	-
private_0x00000000021d0000	0x021d0000	0x021dffff	Private Memory	rw	-
sortdefault.nls	0x021e0000	0x02516fff	Memory Mapped File	r	-
private_0x0000000002520000	0x02520000	0x0265ffff	Private Memory	rw	-
private_0x0000000002520000	0x02520000	0x02520fff	Private Memory	rw	-
private_0x0000000002530000	0x02530000	0x02530fff	Private Memory	rw	-
private_0x0000000002540000	0x02540000	0x02540fff	Private Memory	rw	-
private_0x0000000002550000	0x02550000	0x02550fff	Private Memory	rw	-
private_0x0000000002560000	0x02560000	0x02560fff	Private Memory	rw	-
private_0x0000000002570000	0x02570000	0x02570fff	Private Memory	rw	-
private_0x0000000002580000	0x02580000	0x02580fff	Private Memory	rw	-
private_0x0000000002590000	0x02590000	0x02590fff	Private Memory	rw	-
private_0x00000000025a0000	0x025a0000	0x025a0fff	Private Memory	rw	-
private_0x00000000025b0000	0x025b0000	0x025b0fff	Private Memory	rw	-
private_0x00000000025c0000	0x025c0000	0x025c0fff	Private Memory	rw	-
private_0x00000000025d0000	0x025d0000	0x025d0fff	Private Memory	rw	-
private_0x00000000025e0000	0x025e0000	0x025e0fff	Private Memory	rw	-
private_0x00000000025f0000	0x025f0000	0x025f0fff	Private Memory	rw	-
private_0x0000000002600000	0x02600000	0x02600fff	Private Memory	rw	-
private_0x0000000002610000	0x02610000	0x02610fff	Private Memory	rw	-
private_0x0000000002620000	0x02620000	0x02620fff	Private Memory	rw	-
private_0x0000000002630000	0x02630000	0x02630fff	Private Memory	rw	-
private_0x0000000002640000	0x02640000	0x02640fff	Private Memory	rw	-
private_0x0000000002650000	0x02650000	0x0265ffff	Private Memory	rw	-
private_0x0000000002660000	0x02660000	0x027fffff	Private Memory	rw	-
private_0x0000000002660000	0x02660000	0x02660fff	Private Memory	rw	-
private_0x0000000002670000	0x02670000	0x02670fff	Private Memory	rw	-
private_0x0000000002680000	0x02680000	0x02680fff	Private Memory	rw	-
wow64cpu.dll	0x64ae0000	0x64ae7fff	Memory Mapped File	rwx	-
wow64win.dll	0x64af0000	0x64b62fff	Memory Mapped File	rwx	-
wow64.dll	0x64b70000	0x64bbefff	Memory Mapped File	rwx	-
comctl32.dll	0x745f0000	0x747f8fff	Memory Mapped File	rwx	-
dciman32.dll	0x74800000	0x74806fff	Memory Mapped File	rwx	-
ddraw.dll	0x74810000	0x748fafff	Memory Mapped File	rwx	-
glu32.dll	0x74900000	0x74924fff	Memory Mapped File	rwx	-
tapi32.dll	0x74930000	0x74963fff	Memory Mapped File	rwx	-
msvfw32.dll	0x74970000	0x74992fff	Memory Mapped File	rwx	-
devobj.dll	0x749a0000	0x749c0fff	Memory Mapped File	rwx	-
winnsi.dll	0x749d0000	0x749d7fff	Memory Mapped File	rwx	-
winmmbase.dll	0x749e0000	0x74a02fff	Memory Mapped File	rwx	-
opengl32.dll	0x74a10000	0x74aeffff	Memory Mapped File	rwx	-
iphlpapi.dll	0x74af0000	0x74b1ffff	Memory Mapped File	rwx	-
winmm.dll	0x74b20000	0x74b43fff	Memory Mapped File	rwx	-
version.dll	0x74b50000	0x74b57fff	Memory Mapped File	rwx	-
comctl32.dll	0x74b60000	0x74bf1fff	Memory Mapped File	rwx	-
uxtheme.dll	0x74c20000	0x74c94fff	Memory Mapped File	rwx	-
bcryptprimitives.dll	0x74d40000	0x74d98fff	Memory Mapped File	rwx	-
cryptbase.dll	0x74da0000	0x74da9fff	Memory Mapped File	rwx	-
sspicli.dll	0x74db0000	0x74dcdfff	Memory Mapped File	rwx	-
kernelbase.dll	0x74e70000	0x74fe5fff	Memory Mapped File	rwx	-
comdlg32.dll	0x75160000	0x7521dfff	Memory Mapped File	rwx	-
cfgmgr32.dll	0x75220000	0x75255fff	Memory Mapped File	rwx	-
kernel32.dll	0x75260000	0x7534ffff	Memory Mapped File	rwx	-
powrprof.dll	0x753b0000	0x753f3fff	Memory Mapped File	rwx	-
imm32.dll	0x75400000	0x7542afff	Memory Mapped File	rwx	-
shell32.dll	0x75430000	0x767eefff	Memory Mapped File	rwx	-
profapi.dll	0x76810000	0x7681efff	Memory Mapped File	rwx	-
advapi32.dll	0x76a10000	0x76a8afff	Memory Mapped File	rwx	-
setupapi.dll	0x76a90000	0x76c34fff	Memory Mapped File	rwx	-
sechost.dll	0x76c40000	0x76c82fff	Memory Mapped File	rwx	-
rpcrt4.dll	0x76d90000	0x76e3bfff	Memory Mapped File	rwx	-
combase.dll	0x76e40000	0x76ff9fff	Memory Mapped File	rwx	-
gdi32.dll	0x77000000	0x7714cfff	Memory Mapped File	rwx	-
user32.dll	0x77150000	0x7728ffff	Memory Mapped File	rwx	-
shlwapi.dll	0x77290000	0x772d3fff	Memory Mapped File	rwx	-
shcore.dll	0x77340000	0x773ccfff	Memory Mapped File	rwx	-
psapi.dll	0x773d0000	0x773d5fff	Memory Mapped File	rwx	-
nsi.dll	0x773e0000	0x773e6fff	Memory Mapped File	rwx	-
windows.storage.dll	0x773f0000	0x778ccfff	Memory Mapped File	rwx	-
msctf.dll	0x778d0000	0x779effff	Memory Mapped File	rwx	-
msvcrt.dll	0x779f0000	0x77aadfff	Memory Mapped File	rwx	-
kernel.appcore.dll	0x77c30000	0x77c3bfff	Memory Mapped File	rwx	-
ntdll.dll	0x77ca0000	0x77e18fff	Memory Mapped File	rwx	-
private_0x000000007fe40000	0x7fe40000	0x7fe9ffff	Private Memory	rw	-
private_0x000000007feaa000	0x7feaa000	0x7feacfff	Private Memory	rw	-
private_0x000000007fead000	0x7fead000	0x7feaffff	Private Memory	rw	-
pagefile_0x000000007feb0000	0x7feb0000	0x7ffaffff	Pagefile Backed Memory	r	-
pagefile_0x000000007ffb0000	0x7ffb0000	0x7ffd2fff	Pagefile Backed Memory	r	-
private_0x000000007ffd5000	0x7ffd5000	0x7ffd7fff	Private Memory	rw	-
private_0x000000007ffd8000	0x7ffd8000	0x7ffdafff	Private Memory	rw	-
private_0x000000007ffdb000	0x7ffdb000	0x7ffddfff	Private Memory	rw	-
private_0x000000007ffde000	0x7ffde000	0x7ffdefff	Private Memory	rw	-
private_0x000000007ffdf000	0x7ffdf000	0x7ffdffff	Private Memory	rw	-
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	r	-
private_0x000000007fff0000	0x7fff0000	0x7ff8ee37ffff	Private Memory	r	-
ntdll.dll	0x7ff8ee380000	0x7ff8ee541fff	Memory Mapped File	rwx	-
private_0x00007ff8ee542000	0x7ff8ee542000	0x7ffffffeffff	Private Memory	r	-
For performance reasons, the remaining 62 entries are omitted. The remaining entries can be found in flog.txt.

Created Files

Filename	File Size	Hash Values	Actions
C:\Users\CIIHMN~1\AppData\Local\Temp\4D82\FE41.tmp	0.00 KB	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 SSDeep: 3::	... File Actions Show Properties
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\adsldraw\autoclb.exe	816.00 KB	MD5: 614d298b8690f04b96c6cabc9daf18d3 SHA1: c75106a869334a99e732159186ea7eaefafa9956 SHA256: 94d3ef9a4d2f84f4b34763c33bb3e5472f65b185b3c46e7dec1e1fdd0a4e25d0 SSDeep: 12288:Hcrq243ICNz1TJ987E77JALCkUBmke6dfDKT2UD4w3E1/JoV0TCV+Z:He4d1q7o7Bkz3NDSpyG6+Z	... File Actions Show Properties Download
C:\Users\CIIHMN~1\AppData\Local\Temp\4D82\FE41.bat	0.11 KB	MD5: de62cccde7c3b2d03f0cf2bac762eb4f SHA1: 0fd51e67b3574ae15b1573260ee571443cc2aca7 SHA256: 37c944f962c0713a0e8b62805ff53c49dcb7780268921b46527986523e9525cd SSDeep: 3:ERvM06OWRNfeURMjngU64vHXMJATkUE0VRvJSupn:ERvIRhavvHXMJ2dVRvJNn	... File Actions Show Properties Download

Threads

Thread 0xb4c

Category	Operation	Information	Count	Logfile
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x75260000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = FlsAlloc, address_out = 0x7527a330	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = FlsGetValue, address_out = 0x75277580	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = FlsSetValue, address_out = 0x75279910	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = FlsFree, address_out = 0x7527f400	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x75260000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x77cff190	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x75260000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x77cff190	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x75260000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x77cff190	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x75260000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x77cff190	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x75260000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x77cff190	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x75260000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x77cff190	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x75260000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x77cff190	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x75260000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DecodePointer, address_out = 0x77cfa200	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x75260000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DecodePointer, address_out = 0x77cfa200	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x75260000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x77cff190	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DecodePointer, address_out = 0x77cfa200	1	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Open	filename = STD_ERROR_HANDLE	1	Fn
Environment	Get Environment String	-	1	Fn Data
Module	Get Filename	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\Attacker.exe, size = 260	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x75260000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = IsProcessorFeaturePresent, address_out = 0x75279680	1	Fn
Window	Create	window_name = FTP, class_name = fetches, wndproc_parameter = 0	1	Fn
Module	Get Handle	module_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, base_address = 0x400000	3	Fn

Thread 0xa2c

694

Category	Operation	Information	Count	Logfile
File	Read	filename = STD_ERROR_HANDLE, size = 0	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x75260000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DecodePointer, address_out = 0x77cfa200	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x75260000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DecodePointer, address_out = 0x77cfa200	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x75260000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x77cff190	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DecodePointer, address_out = 0x77cfa200	1	Fn
System	Get Cursor	x_out = 809, y_out = 480	730	Fn
Module	Get Handle	module_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, base_address = 0x400000	12	Fn
System	Get Cursor	x_out = 809, y_out = 480	2	Fn
System	Get Cursor	x_out = 427, y_out = 682	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, type = DEBUG_STRING	1	Fn
System	Get Info	type = Operating System	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77ca0000	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76a10000	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77ca0000	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76a10000	1	Fn
Module	Get Handle	module_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, base_address = 0x400000	1	Fn
System	Get Time	type = System Time, time = 2018-10-25 06:44:20 (UTC)	1	Fn
Module	Load	module_name = ntdll.dll, base_address = 0x77ca0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = memset, address_out = 0x77d0ee50	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = strstr, address_out = 0x77d10010	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = mbstowcs, address_out = 0x77d0e610	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = RtlNtStatusToDosError, address_out = 0x77cf3010	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = memcpy, address_out = 0x77d0e7b0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = RtlGetVersion, address_out = 0x77cffcd0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = RtlUnwind, address_out = 0x77cfaca0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = ZwQueryInformationProcess, address_out = 0x77d08d50	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = NtQuerySystemInformation, address_out = 0x77d08f40	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = ZwOpenProcessToken, address_out = 0x77d09d20	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = ZwQueryInformationToken, address_out = 0x77d08df0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = ZwClose, address_out = 0x77d08cb0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = ZwOpenProcess, address_out = 0x77d08e40	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = NtUnmapViewOfSection, address_out = 0x77d08e80	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = NtMapViewOfSection, address_out = 0x77d08e60	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = NtCreateSection, address_out = 0x77d09080	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = RtlFreeUnicodeString, address_out = 0x77cdb940	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = RtlUpcaseUnicodeString, address_out = 0x77cee040	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = _aulldiv, address_out = 0x77d0c680	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = NtQueryVirtualMemory, address_out = 0x77d08e10	1	Fn
Module	Load	module_name = SHLWAPI.dll, base_address = 0x77290000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\shlwapi.dll, function = StrStrIA, address_out = 0x772acd10	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\shlwapi.dll, function = StrChrW, address_out = 0x772a6a00	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\shlwapi.dll, function = PathFindFileNameW, address_out = 0x772a80d0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\shlwapi.dll, function = PathCombineW, address_out = 0x772acd50	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\shlwapi.dll, function = PathFindExtensionA, address_out = 0x772b1db0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\shlwapi.dll, function = StrChrA, address_out = 0x772b26c0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\shlwapi.dll, function = StrTrimW, address_out = 0x772a83a0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\shlwapi.dll, function = PathFindExtensionW, address_out = 0x772a7c40	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\shlwapi.dll, function = StrRChrA, address_out = 0x772b2900	1	Fn
Module	Load	module_name = SETUPAPI.dll, base_address = 0x76a90000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\setupapi.dll, function = SetupDiGetDeviceRegistryPropertyA, address_out = 0x76ae19a0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\setupapi.dll, function = SetupDiGetClassDevsA, address_out = 0x76ab8d10	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\setupapi.dll, function = SetupDiEnumDeviceInfo, address_out = 0x76aa5620	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\setupapi.dll, function = SetupDiDestroyDeviceInfoList, address_out = 0x76aa5340	1	Fn
Module	Load	module_name = KERNEL32.dll, base_address = 0x75260000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = HeapFree, address_out = 0x752725e0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetComputerNameA, address_out = 0x7527f4b0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = ExitProcess, address_out = 0x752874f0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleHandleA, address_out = 0x75279640	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetCommandLineW, address_out = 0x7527a4b0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = ExitThread, address_out = 0x77d02570	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = CloseHandle, address_out = 0x75285f20	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = CreateThread, address_out = 0x75279700	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = HeapDestroy, address_out = 0x7527d940	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = HeapCreate, address_out = 0x75279950	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = SetEvent, address_out = 0x752860c0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = lstrcpyW, address_out = 0x7529d410	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = SetFileAttributesW, address_out = 0x75286510	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = lstrlenW, address_out = 0x75272d80	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = lstrcpyA, address_out = 0x7527e320	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = SwitchToThread, address_out = 0x75279f30	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = SetEndOfFile, address_out = 0x752864f0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = CreateEventA, address_out = 0x75285f70	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = FlushFileBuffers, address_out = 0x752862a0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetTempPathA, address_out = 0x75286410	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetLastError, address_out = 0x75272db0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = FindNextFileA, address_out = 0x75286270	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = HeapAlloc, address_out = 0x77cdda90	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = lstrcmpiW, address_out = 0x75277540	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetProcAddress, address_out = 0x75277940	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = SetWaitableTimer, address_out = 0x752860d0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetTickCount, address_out = 0x752857f0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = lstrcatW, address_out = 0x7529d320	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = FindClose, address_out = 0x752861d0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = CreateFileA, address_out = 0x75286170	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = CompareFileTime, address_out = 0x75286130	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = ResetEvent, address_out = 0x752860b0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = WriteFile, address_out = 0x75286590	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetFileTime, address_out = 0x75286380	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = CreateProcessA, address_out = 0x752a0960	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = CreateDirectoryW, address_out = 0x75286150	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x752861b0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = CreateFileW, address_out = 0x75286180	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = CreateWaitableTimerA, address_out = 0x7527db30	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = ResumeThread, address_out = 0x7527a280	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = SuspendThread, address_out = 0x7527ed00	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = lstrcmpA, address_out = 0x7527c1f0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = lstrcpynA, address_out = 0x7527f7b0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = LocalFree, address_out = 0x752787c0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = ExpandEnvironmentStringsA, address_out = 0x752a0da0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = Sleep, address_out = 0x752777b0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = lstrlenA, address_out = 0x75283a30	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = lstrcatA, address_out = 0x7527efc0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = WaitForSingleObject, address_out = 0x75286110	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = ReadFile, address_out = 0x752864a0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = ExpandEnvironmentStringsW, address_out = 0x7527c8c0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = CreateDirectoryA, address_out = 0x75286140	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = VirtualProtectEx, address_out = 0x752a2a00	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = FindFirstFileA, address_out = 0x75286210	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleFileNameA, address_out = 0x7527a040	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleFileNameW, address_out = 0x75279560	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetFileSize, address_out = 0x75286360	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = OpenProcess, address_out = 0x752792b0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = CreateRemoteThread, address_out = 0x752a0a00	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = VirtualAlloc, address_out = 0x75278b70	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = lstrcmpiA, address_out = 0x75277610	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = VirtualFree, address_out = 0x75278c70	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = SetLastError, address_out = 0x75272af0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentProcessId, address_out = 0x75271d90	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetVersion, address_out = 0x7527a300	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetLongPathNameW, address_out = 0x752747c0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = SetFilePointer, address_out = 0x75286530	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetTempFileNameA, address_out = 0x752863f0	1	Fn
Module	Load	module_name = USER32.dll, base_address = 0x77150000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = wsprintfA, address_out = 0x7717ea00	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = CharUpperA, address_out = 0x771831c0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = FindWindowA, address_out = 0x77180980	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = wsprintfW, address_out = 0x7717ddf0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = MessageBoxA, address_out = 0x771ccf50	1	Fn
Module	Load	module_name = ADVAPI32.dll, base_address = 0x76a10000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = RegQueryValueExW, address_out = 0x76a2ed60	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = RegEnumKeyExA, address_out = 0x76a32520	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = RegOpenKeyW, address_out = 0x76a2f590	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = RegDeleteValueW, address_out = 0x76a30ca0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = ConvertStringSecurityDescriptorToSecurityDescriptorA, address_out = 0x76a5bda0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = RegSetValueExW, address_out = 0x76a2f0a0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = GetSidSubAuthorityCount, address_out = 0x76a30f50	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = GetSidSubAuthority, address_out = 0x76a30ea0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = OpenProcessToken, address_out = 0x76a2ee90	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = RegOpenKeyA, address_out = 0x76a331a0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = RegSetValueExA, address_out = 0x76a30750	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = RegCreateKeyA, address_out = 0x76a33150	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = GetTokenInformation, address_out = 0x76a2ed40	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = RegCloseKey, address_out = 0x76a2efa0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = RegQueryValueExA, address_out = 0x76a2ee40	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = RegOpenKeyExA, address_out = 0x76a2f000	1	Fn
Module	Load	module_name = SHELL32.dll, base_address = 0x75430000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\shell32.dll, function = ShellExecuteW, address_out = 0x755c4370	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\shell32.dll, function = ShellExecuteExW, address_out = 0x755c4cb0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\shell32.dll, function = 92, address_out = 0x756a7560	1	Fn
Module	Load	module_name = ole32.dll, base_address = 0x768b0000	1	Fn
Module	Get Address	module_name = Unknown module name, function = CoUninitialize, address_out = 0x76eadca0	1	Fn
Module	Get Address	module_name = Unknown module name, function = CoInitializeEx, address_out = 0x76eacd50	1	Fn

Thread 0x128

Category	Operation	Information	Count	Logfile
Module	Get Handle	module_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, base_address = 0x400000	2	Fn
System	Get Computer Name	result_out = LHNIWSJ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion, value_name = InstallDate, data = 65	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\98F9CE91, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
System	Get Time	type = Ticks, time = 124984	1	Fn
System	Sleep	duration = 500 milliseconds (0.500 seconds)	10	Fn
Module	Get Handle	module_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, base_address = 0x400000	1	Fn
System	Get Info	type = Operating System	1	Fn
Module	Get Filename	module_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\Attacker.exe, size = 260	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x75260000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = IsWow64Process, address_out = 0x752796e0	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\user32.dll, base_address = 0x77150000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = GetWindowThreadProcessId, address_out = 0x7716ba70	1	Fn
Window	Find	class_name = ProgMan	1	Fn
Process	Open	desired_access = PROCESS_QUERY_INFORMATION	1	Fn
File	Create	filename = C:\Windows\system32\c_1252.nls, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\system32\c_1252.nls, type = time	1	Fn
File	Create	filename = C:\Windows\system32\c_1252.nls, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\system32\c_1252.nls, type = time	1	Fn
File	Create	filename = C:\Windows\system32\c_1252.nls, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\system32\c_1252.nls, type = time	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77ca0000	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run, value_name = cabilipc, data = 160, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_USERS	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_USERS	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_USERS	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_USERS	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_USERS	1	Fn
Registry	Open Key	reg_name = HKEY_USERS\S-1-5-21-1462094071-1423818996-289466292-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders	1	Fn
Registry	Read Value	reg_name = HKEY_USERS\S-1-5-21-1462094071-1423818996-289466292-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, value_name = AppData, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_USERS\S-1-5-21-1462094071-1423818996-289466292-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, value_name = AppData, data = C:\Users\CIiHmnxMn6Ps\AppData\Roaming, type = REG_SZ	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\adsldraw	1	Fn
Registry	Open Key	reg_name = HKEY_USERS\S-1-5-21-1462094071-1423818996-289466292-1000\Software\Microsoft\Windows\CurrentVersion\Run	1	Fn
Registry	Write Value	reg_name = HKEY_USERS\S-1-5-21-1462094071-1423818996-289466292-1000\Software\Microsoft\Windows\CurrentVersion\Run, value_name = cabilipc, data = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\adsldraw\autoclb.exe, size = 118, type = REG_SZ	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\Desktop\Attacker.exe, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\Desktop\Attacker.exe, type = size	1	Fn
File	Read	filename = C:\Users\CIiHmnxMn6Ps\Desktop\Attacker.exe, size = 835584, size_out = 835584	1	Fn Data
File	Create	filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\adsldraw\autoclb.exe, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\adsldraw\autoclb.exe, size = 4096	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\adsldraw\autoclb.exe, size = 831488	1	Fn Data
File	Create	filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\adsldraw\autoclb.exe, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\adsldraw\autoclb.exe, size = 4096	1	Fn Data
Registry	Create Key	reg_name = HKEY_USERS\S-1-5-21-1462094071-1423818996-289466292-1000\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530	1	Fn
Registry	Read Value	reg_name = HKEY_USERS\S-1-5-21-1462094071-1423818996-289466292-1000\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530, value_name = Client, data = 0, type = REG_NONE	1	Fn
Registry	Write Value	reg_name = HKEY_USERS\S-1-5-21-1462094071-1423818996-289466292-1000\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530, value_name = Install, size = 118, type = REG_BINARY	1	Fn Data
Registry	Enumerate Keys	reg_name = HKEY_USERS	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_USERS	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_USERS	1	Fn
System	Get Time	type = Ticks, time = 130625	2	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\4D82.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create Directory	C:\Users\CIIHMN~1\AppData\Local\Temp\4D82	1	Fn
System	Get Time	type = Ticks, time = 130625	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\4D82\FE41.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\4D82	1	Fn
System	Get Time	type = Ticks, time = 130625	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\4D82\FE41.bat, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\4D82\FE41.bat, size = 110	1	Fn Data
Process	Create	process_name = C:\Users\CIIHMN~1\AppData\Local\Temp\4D82\FE41.bat, show_window = SW_HIDE	1	Fn

Process #2: cmd.exe

144

Information	Value
ID	#2
File Name	c:\windows\syswow64\cmd.exe
Command Line	C:\Windows\system32\cmd.exe /c ""C:\Users\CIIHMN~1\AppData\Local\Temp\4D82\FE41.bat" "C:\Users\CIIHMN~1\AppData\Roaming\adsldraw\autoclb.exe" "C:\Users\CIIHMN~1\Desktop\Attacker.exe""
Initial Working Directory	C:\Users\CIiHmnxMn6Ps\Desktop\
Monitor	Start Time: 00:00:52, Reason: Child Process
Unmonitor	End Time: 00:01:12, Reason: Self Terminated
Monitor Duration	00:00:20

OS Process Information

Information	Value
PID	0xf4
Parent PID	0x720 (c:\users\ciihmnxmn6ps\desktop\attacker.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x 700 0x 630 0x DC0

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x00000000006d0000	0x006d0000	0x006effff	Private Memory	rw	-
pagefile_0x00000000006d0000	0x006d0000	0x006dffff	Pagefile Backed Memory	rw	-
private_0x00000000006e0000	0x006e0000	0x006e3fff	Private Memory	rw	-
private_0x00000000006f0000	0x006f0000	0x006f1fff	Private Memory	rw	-
private_0x00000000006f0000	0x006f0000	0x006f3fff	Private Memory	rw	-
pagefile_0x0000000000700000	0x00700000	0x00713fff	Pagefile Backed Memory	r	-
private_0x0000000000720000	0x00720000	0x0075ffff	Private Memory	rw	-
private_0x0000000000760000	0x00760000	0x0085ffff	Private Memory	rw	-
pagefile_0x0000000000860000	0x00860000	0x00863fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000870000	0x00870000	0x00870fff	Pagefile Backed Memory	r	-
private_0x0000000000880000	0x00880000	0x00881fff	Private Memory	rw	-
private_0x0000000000890000	0x00890000	0x008cffff	Private Memory	rw	-
private_0x00000000008d0000	0x008d0000	0x009cffff	Private Memory	rw	-
private_0x00000000009d0000	0x009d0000	0x009dffff	Private Memory	rw	-
locale.nls	0x009e0000	0x00a9dfff	Memory Mapped File	r	-
private_0x0000000000aa0000	0x00aa0000	0x00b9ffff	Private Memory	rw	-
private_0x0000000000ba0000	0x00ba0000	0x00baffff	Private Memory	rw	-
private_0x0000000000d10000	0x00d10000	0x00d1ffff	Private Memory	rw	-
sortdefault.nls	0x00d20000	0x01056fff	Memory Mapped File	r	-
cmd.exe	0x012b0000	0x012fffff	Memory Mapped File	rwx	-
pagefile_0x0000000001300000	0x01300000	0x052fffff	Pagefile Backed Memory	-	-
wow64cpu.dll	0x64ae0000	0x64ae7fff	Memory Mapped File	rwx	-
wow64win.dll	0x64af0000	0x64b62fff	Memory Mapped File	rwx	-
wow64.dll	0x64b70000	0x64bbefff	Memory Mapped File	rwx	-
cmdext.dll	0x74bf0000	0x74bf7fff	Memory Mapped File	rwx	-
bcryptprimitives.dll	0x74d40000	0x74d98fff	Memory Mapped File	rwx	-
cryptbase.dll	0x74da0000	0x74da9fff	Memory Mapped File	rwx	-
sspicli.dll	0x74db0000	0x74dcdfff	Memory Mapped File	rwx	-
kernelbase.dll	0x74e70000	0x74fe5fff	Memory Mapped File	rwx	-
kernel32.dll	0x75260000	0x7534ffff	Memory Mapped File	rwx	-
advapi32.dll	0x76a10000	0x76a8afff	Memory Mapped File	rwx	-
sechost.dll	0x76c40000	0x76c82fff	Memory Mapped File	rwx	-
rpcrt4.dll	0x76d90000	0x76e3bfff	Memory Mapped File	rwx	-
msvcrt.dll	0x779f0000	0x77aadfff	Memory Mapped File	rwx	-
ntdll.dll	0x77ca0000	0x77e18fff	Memory Mapped File	rwx	-
pagefile_0x000000007f8b0000	0x7f8b0000	0x7f9affff	Pagefile Backed Memory	r	-
pagefile_0x000000007f9b0000	0x7f9b0000	0x7f9d2fff	Pagefile Backed Memory	r	-
private_0x000000007f9d8000	0x7f9d8000	0x7f9dafff	Private Memory	rw	-
private_0x000000007f9db000	0x7f9db000	0x7f9ddfff	Private Memory	rw	-
private_0x000000007f9de000	0x7f9de000	0x7f9defff	Private Memory	rw	-
private_0x000000007f9df000	0x7f9df000	0x7f9dffff	Private Memory	rw	-
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	r	-
private_0x000000007fff0000	0x7fff0000	0x7df8ee37ffff	Private Memory	r	-
pagefile_0x00007df8ee380000	0x7df8ee380000	0x7ff8ee37ffff	Pagefile Backed Memory	-	-
ntdll.dll	0x7ff8ee380000	0x7ff8ee541fff	Memory Mapped File	rwx	-
private_0x00007ff8ee542000	0x7ff8ee542000	0x7ffffffeffff	Private Memory	r	-

Threads

Thread 0x700

144

Category	Operation	Information	Count	Logfile
Module	Get Handle	module_name = c:\windows\syswow64\cmd.exe, base_address = 0x12b0000	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x75260000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = SetThreadUILanguage, address_out = 0x752a2780	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	3	Fn
File	Open	filename = STD_INPUT_HANDLE	2	Fn
Environment	Get Environment String	-	2	Fn Data
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 216, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data = 64, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 64, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data = 9, type = REG_NONE	1	Fn
Module	Get Filename	process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Environment	Get Environment String	name = PROMPT	1	Fn
Environment	Set Environment String	name = PROMPT, value = $P$G	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Get Environment String	name = COMSPEC, result_out = C:\Windows\system32\cmd.exe	1	Fn
Environment	Get Environment String	name = KEYS	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\Desktop, type = file_attributes	2	Fn
Environment	Set Environment String	name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop	1	Fn
Environment	Get Environment String	-	1	Fn Data
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x75260000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = CopyFileExW, address_out = 0x7527fa80	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = IsDebuggerPresent, address_out = 0x7527a790	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = SetConsoleInputExeNameW, address_out = 0x74f835c0	1	Fn
File	Get Info	filename = "C:\Users\CIIHMN~1\AppData\Local\Temp\4D82\FE41.bat", type = file_attributes	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\4D82\FE41.bat, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Open	-	2	Fn
File	Read	size = 8191, size_out = 110	1	Fn Data
File	Open	-	1	Fn
File	Get Info	type = file_type	1	Fn
File	Open	-	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\4D82\FE41.bat, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Open	-	2	Fn
File	Read	size = 8191, size_out = 99	1	Fn Data
File	Open	-	1	Fn
File	Get Info	type = file_type	1	Fn
File	Open	-	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 2	1	Fn Data
Environment	Get Environment String	name = PROMPT, result_out = $P$G	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 30	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 3	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 4	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 63	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 4	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 12	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 2	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\4D82\FE41.bat, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Open	-	2	Fn
File	Read	size = 8191, size_out = 66	1	Fn Data
File	Open	-	1	Fn
File	Get Info	type = file_type	1	Fn
File	Open	-	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 2	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 30	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 3	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 104	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 2	1	Fn Data
Environment	Get Environment String	name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Process	Create	process_name = C:\Windows\system32\cmd.exe, os_pid = 0x7a0, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL	1	Fn
Environment	Set Environment String	name = COPYCMD	1	Fn
Environment	Get Environment String	-	1	Fn Data

Process #4: cmd.exe

Information	Value
ID	#4
File Name	c:\windows\syswow64\cmd.exe
Command Line	cmd /C ""C:\Users\CIIHMN~1\AppData\Roaming\adsldraw\autoclb.exe" "C:\Users\CIIHMN~1\Desktop\Attacker.exe""
Initial Working Directory	C:\Users\CIiHmnxMn6Ps\Desktop\
Monitor	Start Time: 00:00:57, Reason: Child Process
Unmonitor	End Time: 00:01:12, Reason: Self Terminated
Monitor Duration	00:00:15

OS Process Information

Information	Value
PID	0x7a0
Parent PID	0xf4 (c:\windows\syswow64\cmd.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x 300 0x 570 0x DBC

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000810000	0x00810000	0x0082ffff	Private Memory	rw	-
pagefile_0x0000000000810000	0x00810000	0x0081ffff	Pagefile Backed Memory	rw	-
private_0x0000000000820000	0x00820000	0x0082ffff	Private Memory	rw	-
private_0x0000000000830000	0x00830000	0x00831fff	Private Memory	rw	-
private_0x0000000000830000	0x00830000	0x00833fff	Private Memory	rw	-
pagefile_0x0000000000840000	0x00840000	0x00853fff	Pagefile Backed Memory	r	-
private_0x0000000000860000	0x00860000	0x0089ffff	Private Memory	rw	-
private_0x00000000008a0000	0x008a0000	0x0099ffff	Private Memory	rw	-
pagefile_0x00000000009a0000	0x009a0000	0x009a3fff	Pagefile Backed Memory	r	-
pagefile_0x00000000009b0000	0x009b0000	0x009b0fff	Pagefile Backed Memory	r	-
private_0x00000000009c0000	0x009c0000	0x009c1fff	Private Memory	rw	-
private_0x00000000009d0000	0x009d0000	0x00a0ffff	Private Memory	rw	-
private_0x0000000000a10000	0x00a10000	0x00a13fff	Private Memory	rw	-
private_0x0000000000a60000	0x00a60000	0x00a6ffff	Private Memory	rw	-
private_0x0000000000ab0000	0x00ab0000	0x00baffff	Private Memory	rw	-
locale.nls	0x00bb0000	0x00c6dfff	Memory Mapped File	r	-
private_0x0000000000c70000	0x00c70000	0x00d6ffff	Private Memory	rw	-
sortdefault.nls	0x00d70000	0x010a6fff	Memory Mapped File	r	-
cmd.exe	0x012b0000	0x012fffff	Memory Mapped File	rwx	-
pagefile_0x0000000001300000	0x01300000	0x052fffff	Pagefile Backed Memory	-	-
wow64cpu.dll	0x64ae0000	0x64ae7fff	Memory Mapped File	rwx	-
wow64win.dll	0x64af0000	0x64b62fff	Memory Mapped File	rwx	-
wow64.dll	0x64b70000	0x64bbefff	Memory Mapped File	rwx	-
apphelp.dll	0x74ca0000	0x74d30fff	Memory Mapped File	rwx	-
kernelbase.dll	0x74e70000	0x74fe5fff	Memory Mapped File	rwx	-
kernel32.dll	0x75260000	0x7534ffff	Memory Mapped File	rwx	-
msvcrt.dll	0x779f0000	0x77aadfff	Memory Mapped File	rwx	-
ntdll.dll	0x77ca0000	0x77e18fff	Memory Mapped File	rwx	-
sysmain.sdb	0x7eab0000	0x7ee3ffff	Memory Mapped File	r	-
pagefile_0x000000007ee40000	0x7ee40000	0x7ef3ffff	Pagefile Backed Memory	r	-
pagefile_0x000000007ef40000	0x7ef40000	0x7ef62fff	Pagefile Backed Memory	r	-
private_0x000000007ef63000	0x7ef63000	0x7ef63fff	Private Memory	rw	-
private_0x000000007ef68000	0x7ef68000	0x7ef6afff	Private Memory	rw	-
private_0x000000007ef6b000	0x7ef6b000	0x7ef6bfff	Private Memory	rw	-
private_0x000000007ef6d000	0x7ef6d000	0x7ef6ffff	Private Memory	rw	-
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	r	-
private_0x000000007fff0000	0x7fff0000	0x7df8ee37ffff	Private Memory	r	-
pagefile_0x00007df8ee380000	0x7df8ee380000	0x7ff8ee37ffff	Pagefile Backed Memory	-	-
ntdll.dll	0x7ff8ee380000	0x7ff8ee541fff	Memory Mapped File	rwx	-
private_0x00007ff8ee542000	0x7ff8ee542000	0x7ffffffeffff	Private Memory	r	-

Threads

Thread 0x300

Category	Operation	Information	Count	Logfile
Module	Get Handle	module_name = c:\windows\syswow64\cmd.exe, base_address = 0x12b0000	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x75260000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = SetThreadUILanguage, address_out = 0x752a2780	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	3	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn
Environment	Get Environment String	-	2	Fn Data
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 209, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data = 64, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 64, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data = 9, type = REG_NONE	1	Fn
Module	Get Filename	process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Environment	Get Environment String	name = PROMPT, result_out = $P$G	1	Fn
Environment	Get Environment String	name = COMSPEC, result_out = C:\Windows\system32\cmd.exe	1	Fn
Environment	Get Environment String	name = KEYS	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\Desktop, type = file_attributes	2	Fn
Environment	Set Environment String	name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop	1	Fn
Environment	Get Environment String	-	1	Fn Data
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x75260000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = CopyFileExW, address_out = 0x7527fa80	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = IsDebuggerPresent, address_out = 0x7527a790	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = SetConsoleInputExeNameW, address_out = 0x74f835c0	1	Fn
File	Get Info	filename = "C:\Users\CIIHMN~1\AppData\Roaming\adsldraw\autoclb.exe", type = file_attributes	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Process	Create	process_name = C:\Users\CIIHMN~1\AppData\Roaming\adsldraw\autoclb.exe, os_pid = 0x318, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL	1	Fn
Environment	Set Environment String	name = COPYCMD	1	Fn
Environment	Get Environment String	-	1	Fn Data

Process #5: autoclb.exe

1435

Information	Value
ID	#5
File Name	c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe
Command Line	"C:\Users\CIIHMN~1\AppData\Roaming\adsldraw\autoclb.exe" "C:\Users\CIIHMN~1\Desktop\Attacker.exe"
Initial Working Directory	C:\Users\CIiHmnxMn6Ps\Desktop\
Monitor	Start Time: 00:00:58, Reason: Child Process
Unmonitor	End Time: 00:01:11, Reason: Self Terminated
Monitor Duration	00:00:13

OS Process Information

Information	Value
PID	0x318
Parent PID	0x7a0 (c:\windows\syswow64\cmd.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x 6B4 0x 8DC 0x AE0 0x C24 0x DB8

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	rw	-
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	rw	-
private_0x0000000000020000	0x00020000	0x00023fff	Private Memory	rw	-
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	rw	-
private_0x0000000000030000	0x00030000	0x00030fff	Private Memory	rw	-
pagefile_0x0000000000040000	0x00040000	0x00053fff	Pagefile Backed Memory	r	-
private_0x0000000000060000	0x00060000	0x0009ffff	Private Memory	rw	-
private_0x0000000000060000	0x00060000	0x00060fff	Private Memory	rw	-
private_0x0000000000070000	0x00070000	0x00070fff	Private Memory	rw	-
private_0x0000000000080000	0x00080000	0x00080fff	Private Memory	rw	-
private_0x0000000000090000	0x00090000	0x00090fff	Private Memory	rw	-
private_0x00000000000a0000	0x000a0000	0x0019ffff	Private Memory	rw	-
private_0x00000000000a0000	0x000a0000	0x000a0fff	Private Memory	rw	-
private_0x00000000000b0000	0x000b0000	0x000b0fff	Private Memory	rw	-
private_0x00000000000c0000	0x000c0000	0x000c0fff	Private Memory	rw	-
private_0x00000000000d0000	0x000d0000	0x000d0fff	Private Memory	rw	-
private_0x00000000000e0000	0x000e0000	0x000e0fff	Private Memory	rw	-
private_0x00000000000f0000	0x000f0000	0x000f0fff	Private Memory	rw	-
private_0x0000000000100000	0x00100000	0x00100fff	Private Memory	rw	-
private_0x0000000000110000	0x00110000	0x00110fff	Private Memory	rw	-
private_0x0000000000120000	0x00120000	0x00120fff	Private Memory	rw	-
private_0x0000000000130000	0x00130000	0x00130fff	Private Memory	rw	-
private_0x0000000000140000	0x00140000	0x00140fff	Private Memory	rw	-
private_0x0000000000150000	0x00150000	0x00150fff	Private Memory	rw	-
private_0x0000000000160000	0x00160000	0x00160fff	Private Memory	rw	-
private_0x0000000000170000	0x00170000	0x00170fff	Private Memory	rw	-
private_0x0000000000180000	0x00180000	0x00180fff	Private Memory	rw	-
private_0x0000000000190000	0x00190000	0x00190fff	Private Memory	rw	-
pagefile_0x00000000001a0000	0x001a0000	0x001a3fff	Pagefile Backed Memory	r	-
pagefile_0x00000000001b0000	0x001b0000	0x001b0fff	Pagefile Backed Memory	r	-
private_0x00000000001c0000	0x001c0000	0x001c1fff	Private Memory	rw	-
private_0x00000000001d0000	0x001d0000	0x001d0fff	Private Memory	rw	-
private_0x00000000001e0000	0x001e0000	0x001effff	Private Memory	rw	-
locale.nls	0x001f0000	0x002adfff	Memory Mapped File	r	-
private_0x00000000002b0000	0x002b0000	0x002effff	Private Memory	rw	-
private_0x00000000002f0000	0x002f0000	0x003effff	Private Memory	rw	-
msvfw32.dll.mui	0x003f0000	0x003f1fff	Memory Mapped File	r	-
autoclb.exe	0x00400000	0x004d0fff	Memory Mapped File	rwx	-
pagefile_0x00000000004e0000	0x004e0000	0x00667fff	Pagefile Backed Memory	r	-
private_0x0000000000670000	0x00670000	0x00673fff	Private Memory	rw	-
pagefile_0x0000000000680000	0x00680000	0x00681fff	Pagefile Backed Memory	r	-
private_0x0000000000690000	0x00690000	0x00690fff	Private Memory	rw	-
private_0x00000000006a0000	0x006a0000	0x0079ffff	Private Memory	rw	-
pagefile_0x00000000007a0000	0x007a0000	0x007a1fff	Pagefile Backed Memory	r	-
private_0x00000000007b0000	0x007b0000	0x007effff	Private Memory	rw	-
private_0x00000000007f0000	0x007f0000	0x007fffff	Private Memory	rw	-
pagefile_0x0000000000800000	0x00800000	0x00980fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000990000	0x00990000	0x01d8ffff	Pagefile Backed Memory	r	-
private_0x0000000001d90000	0x01d90000	0x01f2ffff	Private Memory	rw	-
private_0x0000000001d90000	0x01d90000	0x01e3ffff	Private Memory	rw	-
private_0x0000000001d90000	0x01d90000	0x01d90fff	Private Memory	rw	-
private_0x0000000001da0000	0x01da0000	0x01da0fff	Private Memory	rw	-
private_0x0000000001db0000	0x01db0000	0x01db0fff	Private Memory	rw	-
private_0x0000000001dc0000	0x01dc0000	0x01dc0fff	Private Memory	rw	-
private_0x0000000001dd0000	0x01dd0000	0x01dd0fff	Private Memory	rw	-
private_0x0000000001de0000	0x01de0000	0x01de0fff	Private Memory	rw	-
private_0x0000000001df0000	0x01df0000	0x01df0fff	Private Memory	rw	-
private_0x0000000001e00000	0x01e00000	0x01e00fff	Private Memory	rw	-
private_0x0000000001e10000	0x01e10000	0x01e10fff	Private Memory	rw	-
private_0x0000000001e20000	0x01e20000	0x01e20fff	Private Memory	rw	-
private_0x0000000001e30000	0x01e30000	0x01e3ffff	Private Memory	rw	-
private_0x0000000001e40000	0x01e40000	0x01e40fff	Private Memory	rw	-
private_0x0000000001e50000	0x01e50000	0x01e50fff	Private Memory	rw	-
private_0x0000000001e60000	0x01e60000	0x01e60fff	Private Memory	rw	-
private_0x0000000001e70000	0x01e70000	0x01e70fff	Private Memory	rw	-
private_0x0000000001e80000	0x01e80000	0x01e80fff	Private Memory	rw	-
private_0x0000000001e90000	0x01e90000	0x01e90fff	Private Memory	rw	-
private_0x0000000001ea0000	0x01ea0000	0x01ea0fff	Private Memory	rw	-
private_0x0000000001eb0000	0x01eb0000	0x01eb0fff	Private Memory	rw	-
private_0x0000000001ec0000	0x01ec0000	0x01ec0fff	Private Memory	rw	-
private_0x0000000001ed0000	0x01ed0000	0x01ed0fff	Private Memory	rw	-
private_0x0000000001ee0000	0x01ee0000	0x01ee0fff	Private Memory	rw	-
private_0x0000000001ef0000	0x01ef0000	0x01ef0fff	Private Memory	rw	-
private_0x0000000001f00000	0x01f00000	0x01f00fff	Private Memory	rw	-
private_0x0000000001f10000	0x01f10000	0x01f10fff	Private Memory	rw	-
private_0x0000000001f20000	0x01f20000	0x01f2ffff	Private Memory	rw	-
private_0x0000000001f30000	0x01f30000	0x01f30fff	Private Memory	rw	-
private_0x0000000001f40000	0x01f40000	0x01f40fff	Private Memory	rw	-
private_0x0000000001f50000	0x01f50000	0x01f50fff	Private Memory	rw	-
private_0x0000000001f60000	0x01f60000	0x01f60fff	Private Memory	rw	-
private_0x0000000001f70000	0x01f70000	0x01f7ffff	Private Memory	rw	-
sortdefault.nls	0x01f80000	0x022b6fff	Memory Mapped File	r	-
private_0x00000000022c0000	0x022c0000	0x023bffff	Private Memory	rw	-
private_0x00000000023c0000	0x023c0000	0x023c0fff	Private Memory	rw	-
private_0x00000000023d0000	0x023d0000	0x023d0fff	Private Memory	rw	-
private_0x00000000023e0000	0x023e0000	0x023e0fff	Private Memory	rw	-
private_0x00000000023f0000	0x023f0000	0x023f0fff	Private Memory	rw	-
private_0x0000000002400000	0x02400000	0x02400fff	Private Memory	rw	-
private_0x0000000002410000	0x02410000	0x02410fff	Private Memory	rw	-
private_0x0000000002420000	0x02420000	0x02420fff	Private Memory	rw	-
private_0x0000000002430000	0x02430000	0x02430fff	Private Memory	rw	-
private_0x0000000002440000	0x02440000	0x02440fff	Private Memory	rw	-
private_0x0000000002450000	0x02450000	0x02450fff	Private Memory	rw	-
wow64cpu.dll	0x64ae0000	0x64ae7fff	Memory Mapped File	rwx	-
wow64win.dll	0x64af0000	0x64b62fff	Memory Mapped File	rwx	-
wow64.dll	0x64b70000	0x64bbefff	Memory Mapped File	rwx	-
comctl32.dll	0x745e0000	0x747e8fff	Memory Mapped File	rwx	-
tapi32.dll	0x747f0000	0x74823fff	Memory Mapped File	rwx	-
devobj.dll	0x74830000	0x74850fff	Memory Mapped File	rwx	-
dciman32.dll	0x74860000	0x74866fff	Memory Mapped File	rwx	-
winnsi.dll	0x74870000	0x74877fff	Memory Mapped File	rwx	-
winmmbase.dll	0x74880000	0x748a2fff	Memory Mapped File	rwx	-
ddraw.dll	0x748b0000	0x7499afff	Memory Mapped File	rwx	-
glu32.dll	0x749a0000	0x749c4fff	Memory Mapped File	rwx	-
iphlpapi.dll	0x749d0000	0x749fffff	Memory Mapped File	rwx	-
winmm.dll	0x74a00000	0x74a23fff	Memory Mapped File	rwx	-
msvfw32.dll	0x74a30000	0x74a52fff	Memory Mapped File	rwx	-
version.dll	0x74a60000	0x74a67fff	Memory Mapped File	rwx	-
opengl32.dll	0x74a70000	0x74b4ffff	Memory Mapped File	rwx	-
comctl32.dll	0x74b50000	0x74be1fff	Memory Mapped File	rwx	-
uxtheme.dll	0x74c20000	0x74c94fff	Memory Mapped File	rwx	-
bcryptprimitives.dll	0x74d40000	0x74d98fff	Memory Mapped File	rwx	-
cryptbase.dll	0x74da0000	0x74da9fff	Memory Mapped File	rwx	-
sspicli.dll	0x74db0000	0x74dcdfff	Memory Mapped File	rwx	-
kernelbase.dll	0x74e70000	0x74fe5fff	Memory Mapped File	rwx	-
comdlg32.dll	0x75160000	0x7521dfff	Memory Mapped File	rwx	-
cfgmgr32.dll	0x75220000	0x75255fff	Memory Mapped File	rwx	-
kernel32.dll	0x75260000	0x7534ffff	Memory Mapped File	rwx	-
powrprof.dll	0x753b0000	0x753f3fff	Memory Mapped File	rwx	-
imm32.dll	0x75400000	0x7542afff	Memory Mapped File	rwx	-
shell32.dll	0x75430000	0x767eefff	Memory Mapped File	rwx	-
profapi.dll	0x76810000	0x7681efff	Memory Mapped File	rwx	-
advapi32.dll	0x76a10000	0x76a8afff	Memory Mapped File	rwx	-
setupapi.dll	0x76a90000	0x76c34fff	Memory Mapped File	rwx	-
sechost.dll	0x76c40000	0x76c82fff	Memory Mapped File	rwx	-
rpcrt4.dll	0x76d90000	0x76e3bfff	Memory Mapped File	rwx	-
combase.dll	0x76e40000	0x76ff9fff	Memory Mapped File	rwx	-
gdi32.dll	0x77000000	0x7714cfff	Memory Mapped File	rwx	-
user32.dll	0x77150000	0x7728ffff	Memory Mapped File	rwx	-
shlwapi.dll	0x77290000	0x772d3fff	Memory Mapped File	rwx	-
shcore.dll	0x77340000	0x773ccfff	Memory Mapped File	rwx	-
psapi.dll	0x773d0000	0x773d5fff	Memory Mapped File	rwx	-
nsi.dll	0x773e0000	0x773e6fff	Memory Mapped File	rwx	-
windows.storage.dll	0x773f0000	0x778ccfff	Memory Mapped File	rwx	-
msctf.dll	0x778d0000	0x779effff	Memory Mapped File	rwx	-
msvcrt.dll	0x779f0000	0x77aadfff	Memory Mapped File	rwx	-
kernel.appcore.dll	0x77c30000	0x77c3bfff	Memory Mapped File	rwx	-
ntdll.dll	0x77ca0000	0x77e18fff	Memory Mapped File	rwx	-
private_0x000000007fe50000	0x7fe50000	0x7feaffff	Private Memory	rw	-
pagefile_0x000000007feb0000	0x7feb0000	0x7ffaffff	Pagefile Backed Memory	r	-
pagefile_0x000000007ffb0000	0x7ffb0000	0x7ffd2fff	Pagefile Backed Memory	r	-
private_0x000000007ffd5000	0x7ffd5000	0x7ffd7fff	Private Memory	rw	-
private_0x000000007ffd8000	0x7ffd8000	0x7ffdafff	Private Memory	rw	-
private_0x000000007ffdb000	0x7ffdb000	0x7ffddfff	Private Memory	rw	-
private_0x000000007ffde000	0x7ffde000	0x7ffdefff	Private Memory	rw	-
private_0x000000007ffdf000	0x7ffdf000	0x7ffdffff	Private Memory	rw	-
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	r	-
private_0x000000007fff0000	0x7fff0000	0x7ff8ee37ffff	Private Memory	r	-
ntdll.dll	0x7ff8ee380000	0x7ff8ee541fff	Memory Mapped File	rwx	-
private_0x00007ff8ee542000	0x7ff8ee542000	0x7ffffffeffff	Private Memory	r	-
For performance reasons, the remaining 25 entries are omitted. The remaining entries can be found in flog.txt.

Hook Information

Type	Installer	Target	Size	Information	Actions
Code	private_0x0000000002460000:+0x39f4	autoclb.exe:+0x1000	13 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	private_0x0000000002460000:+0x39f4	autoclb.exe:+0x100e	5 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	private_0x0000000002460000:+0x39f4	autoclb.exe:+0x1014	11 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	private_0x0000000002460000:+0x39f4	autoclb.exe:+0x1020	6 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	private_0x0000000002460000:+0x39f4	autoclb.exe:+0x1027	5 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	private_0x0000000002460000:+0x39f4	autoclb.exe:+0x102d	1 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	private_0x0000000002460000:+0x39f4	autoclb.exe:+0x1030	6 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	private_0x0000000002460000:+0x39f4	autoclb.exe:+0x1039	5 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	private_0x0000000002460000:+0x39f4	autoclb.exe:+0x1041	7 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	private_0x0000000002460000:+0x39f4	autoclb.exe:+0x1049	21 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	private_0x0000000002460000:+0x39f4	autoclb.exe:+0x105f	14 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	private_0x0000000002460000:+0x39f4	autoclb.exe:+0x1070	11 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	private_0x0000000002460000:+0x39f4	autoclb.exe:+0x107c	9 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	private_0x0000000002460000:+0x39f4	autoclb.exe:+0x1086	10 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	private_0x0000000002460000:+0x39f4	autoclb.exe:+0x1091	4 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	private_0x0000000002460000:+0x39f4	autoclb.exe:+0x1096	6 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	private_0x0000000002460000:+0x39f4	autoclb.exe:+0x109d	13 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	private_0x0000000002460000:+0x39f4	autoclb.exe:+0x10ab	8 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	private_0x0000000002460000:+0x39f4	autoclb.exe:+0x10b4	23 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	private_0x0000000002460000:+0x39f4	autoclb.exe:+0x10cc	8 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	private_0x0000000002460000:+0x39f4	autoclb.exe:+0x10d6	14 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	private_0x0000000002460000:+0x39f4	autoclb.exe:+0x10e6	8 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	private_0x0000000002460000:+0x39f4	autoclb.exe:+0x10ef	19 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	private_0x0000000002460000:+0x39f4	autoclb.exe:+0x1105	6 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	private_0x0000000002460000:+0x39f4	autoclb.exe:+0x110e	3 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	private_0x0000000002460000:+0x39f4	autoclb.exe:+0x1113	23 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	private_0x0000000002460000:+0x39f4	autoclb.exe:+0x112b	8 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	private_0x0000000002460000:+0x39f4	autoclb.exe:+0x1134	13 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	private_0x0000000002460000:+0x39f4	autoclb.exe:+0x1143	9 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	private_0x0000000002460000:+0x39f4	autoclb.exe:+0x114d	7 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	private_0x0000000002460000:+0x39f4	autoclb.exe:+0x1155	7 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	private_0x0000000002460000:+0x39f4	autoclb.exe:+0x115d	4 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	private_0x0000000002460000:+0x39f4	autoclb.exe:+0x1162	1 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	private_0x0000000002460000:+0x39f4	autoclb.exe:+0x1165	8 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	private_0x0000000002460000:+0x39f4	autoclb.exe:+0x116e	4 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	private_0x0000000002460000:+0x39f4	autoclb.exe:+0x1174	4 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	private_0x0000000002460000:+0x39f4	autoclb.exe:+0x1179	4 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	private_0x0000000002460000:+0x39f4	autoclb.exe:+0x117e	1 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	private_0x0000000002460000:+0x39f4	autoclb.exe:+0x1181	13 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	private_0x0000000002460000:+0x39f4	autoclb.exe:+0x118f	5 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	private_0x0000000002460000:+0x39f4	autoclb.exe:+0x1195	6 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	private_0x0000000002460000:+0x39f4	autoclb.exe:+0x119c	5 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	private_0x0000000002460000:+0x39f4	autoclb.exe:+0x11a2	8 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	private_0x0000000002460000:+0x39f4	autoclb.exe:+0x11ab	4 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	private_0x0000000002460000:+0x39f4	autoclb.exe:+0x11b0	6 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	private_0x0000000002460000:+0x39f4	autoclb.exe:+0x11b7	10 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	private_0x0000000002460000:+0x39f4	autoclb.exe:+0x11c2	1 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	private_0x0000000002460000:+0x39f4	autoclb.exe:+0x11c4	5 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	private_0x0000000002460000:+0x39f4	autoclb.exe:+0x11ca	10 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	private_0x0000000002460000:+0x39f4	autoclb.exe:+0x11d5	14 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	private_0x0000000002460000:+0x39f4	autoclb.exe:+0x11e5	7 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	private_0x0000000002460000:+0x39f4	autoclb.exe:+0x11ed	10 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	private_0x0000000002460000:+0x39f4	autoclb.exe:+0x11f8	10 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	private_0x0000000002460000:+0x39f4	autoclb.exe:+0x1205	6 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	private_0x0000000002460000:+0x39f4	autoclb.exe:+0x120d	30 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	private_0x0000000002460000:+0x39f4	autoclb.exe:+0x122c	5 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	private_0x0000000002460000:+0x39f4	autoclb.exe:+0x1232	5 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	private_0x0000000002460000:+0x39f4	autoclb.exe:+0x1238	10 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	private_0x0000000002460000:+0x39f4	autoclb.exe:+0x1243	1 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification

Threads

Thread 0x6b4

Category	Operation	Information	Count	Logfile
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x75260000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = FlsAlloc, address_out = 0x7527a330	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = FlsGetValue, address_out = 0x75277580	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = FlsSetValue, address_out = 0x75279910	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = FlsFree, address_out = 0x7527f400	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x75260000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x77cff190	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x75260000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x77cff190	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x75260000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x77cff190	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x75260000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x77cff190	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x75260000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x77cff190	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x75260000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x77cff190	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x75260000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x77cff190	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x75260000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DecodePointer, address_out = 0x77cfa200	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x75260000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DecodePointer, address_out = 0x77cfa200	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x75260000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x77cff190	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DecodePointer, address_out = 0x77cfa200	1	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Open	filename = STD_ERROR_HANDLE	1	Fn
Environment	Get Environment String	-	1	Fn Data
Module	Get Filename	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, file_name_orig = C:\Users\CIIHMN~1\AppData\Roaming\adsldraw\autoclb.exe, size = 260	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x75260000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = IsProcessorFeaturePresent, address_out = 0x75279680	1	Fn
Window	Create	window_name = FTP, class_name = fetches, wndproc_parameter = 0	1	Fn
Module	Get Handle	module_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, base_address = 0x400000	3	Fn

Thread 0xae0

694

Category	Operation	Information	Count	Logfile
File	Read	filename = STD_ERROR_HANDLE, size = 0	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x75260000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DecodePointer, address_out = 0x77cfa200	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x75260000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DecodePointer, address_out = 0x77cfa200	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x75260000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x77cff190	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DecodePointer, address_out = 0x77cfa200	1	Fn
System	Get Cursor	x_out = 424, y_out = 212	715	Fn
Module	Get Handle	module_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, base_address = 0x400000	12	Fn
System	Get Cursor	x_out = 424, y_out = 212	3	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
System	Get Info	type = Operating System	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77ca0000	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76a10000	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77ca0000	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76a10000	1	Fn
Module	Get Handle	module_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, base_address = 0x400000	1	Fn
System	Get Time	type = System Time, time = 2018-10-25 06:44:43 (UTC)	1	Fn
Module	Load	module_name = ntdll.dll, base_address = 0x77ca0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = memset, address_out = 0x77d0ee50	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = strstr, address_out = 0x77d10010	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = mbstowcs, address_out = 0x77d0e610	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = RtlNtStatusToDosError, address_out = 0x77cf3010	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = memcpy, address_out = 0x77d0e7b0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = RtlGetVersion, address_out = 0x77cffcd0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = RtlUnwind, address_out = 0x77cfaca0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = ZwQueryInformationProcess, address_out = 0x77d08d50	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = NtQuerySystemInformation, address_out = 0x77d08f40	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = ZwOpenProcessToken, address_out = 0x77d09d20	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = ZwQueryInformationToken, address_out = 0x77d08df0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = ZwClose, address_out = 0x77d08cb0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = ZwOpenProcess, address_out = 0x77d08e40	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = NtUnmapViewOfSection, address_out = 0x77d08e80	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = NtMapViewOfSection, address_out = 0x77d08e60	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = NtCreateSection, address_out = 0x77d09080	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = RtlFreeUnicodeString, address_out = 0x77cdb940	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = RtlUpcaseUnicodeString, address_out = 0x77cee040	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = _aulldiv, address_out = 0x77d0c680	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = NtQueryVirtualMemory, address_out = 0x77d08e10	1	Fn
Module	Load	module_name = SHLWAPI.dll, base_address = 0x77290000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\shlwapi.dll, function = StrStrIA, address_out = 0x772acd10	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\shlwapi.dll, function = StrChrW, address_out = 0x772a6a00	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\shlwapi.dll, function = PathFindFileNameW, address_out = 0x772a80d0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\shlwapi.dll, function = PathCombineW, address_out = 0x772acd50	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\shlwapi.dll, function = PathFindExtensionA, address_out = 0x772b1db0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\shlwapi.dll, function = StrChrA, address_out = 0x772b26c0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\shlwapi.dll, function = StrTrimW, address_out = 0x772a83a0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\shlwapi.dll, function = PathFindExtensionW, address_out = 0x772a7c40	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\shlwapi.dll, function = StrRChrA, address_out = 0x772b2900	1	Fn
Module	Load	module_name = SETUPAPI.dll, base_address = 0x76a90000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\setupapi.dll, function = SetupDiGetDeviceRegistryPropertyA, address_out = 0x76ae19a0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\setupapi.dll, function = SetupDiGetClassDevsA, address_out = 0x76ab8d10	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\setupapi.dll, function = SetupDiEnumDeviceInfo, address_out = 0x76aa5620	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\setupapi.dll, function = SetupDiDestroyDeviceInfoList, address_out = 0x76aa5340	1	Fn
Module	Load	module_name = KERNEL32.dll, base_address = 0x75260000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = HeapFree, address_out = 0x752725e0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetComputerNameA, address_out = 0x7527f4b0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = ExitProcess, address_out = 0x752874f0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleHandleA, address_out = 0x75279640	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetCommandLineW, address_out = 0x7527a4b0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = ExitThread, address_out = 0x77d02570	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = CloseHandle, address_out = 0x75285f20	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = CreateThread, address_out = 0x75279700	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = HeapDestroy, address_out = 0x7527d940	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = HeapCreate, address_out = 0x75279950	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = SetEvent, address_out = 0x752860c0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = lstrcpyW, address_out = 0x7529d410	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = SetFileAttributesW, address_out = 0x75286510	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = lstrlenW, address_out = 0x75272d80	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = lstrcpyA, address_out = 0x7527e320	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = SwitchToThread, address_out = 0x75279f30	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = SetEndOfFile, address_out = 0x752864f0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = CreateEventA, address_out = 0x75285f70	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = FlushFileBuffers, address_out = 0x752862a0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetTempPathA, address_out = 0x75286410	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetLastError, address_out = 0x75272db0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = FindNextFileA, address_out = 0x75286270	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = HeapAlloc, address_out = 0x77cdda90	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = lstrcmpiW, address_out = 0x75277540	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetProcAddress, address_out = 0x75277940	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = SetWaitableTimer, address_out = 0x752860d0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetTickCount, address_out = 0x752857f0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = lstrcatW, address_out = 0x7529d320	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = FindClose, address_out = 0x752861d0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = CreateFileA, address_out = 0x75286170	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = CompareFileTime, address_out = 0x75286130	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = ResetEvent, address_out = 0x752860b0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = WriteFile, address_out = 0x75286590	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetFileTime, address_out = 0x75286380	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = CreateProcessA, address_out = 0x752a0960	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = CreateDirectoryW, address_out = 0x75286150	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x752861b0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = CreateFileW, address_out = 0x75286180	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = CreateWaitableTimerA, address_out = 0x7527db30	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = ResumeThread, address_out = 0x7527a280	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = SuspendThread, address_out = 0x7527ed00	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = lstrcmpA, address_out = 0x7527c1f0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = lstrcpynA, address_out = 0x7527f7b0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = LocalFree, address_out = 0x752787c0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = ExpandEnvironmentStringsA, address_out = 0x752a0da0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = Sleep, address_out = 0x752777b0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = lstrlenA, address_out = 0x75283a30	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = lstrcatA, address_out = 0x7527efc0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = WaitForSingleObject, address_out = 0x75286110	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = ReadFile, address_out = 0x752864a0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = ExpandEnvironmentStringsW, address_out = 0x7527c8c0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = CreateDirectoryA, address_out = 0x75286140	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = VirtualProtectEx, address_out = 0x752a2a00	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = FindFirstFileA, address_out = 0x75286210	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleFileNameA, address_out = 0x7527a040	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleFileNameW, address_out = 0x75279560	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetFileSize, address_out = 0x75286360	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = OpenProcess, address_out = 0x752792b0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = CreateRemoteThread, address_out = 0x752a0a00	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = VirtualAlloc, address_out = 0x75278b70	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = lstrcmpiA, address_out = 0x75277610	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = VirtualFree, address_out = 0x75278c70	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = SetLastError, address_out = 0x75272af0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentProcessId, address_out = 0x75271d90	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetVersion, address_out = 0x7527a300	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetLongPathNameW, address_out = 0x752747c0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = SetFilePointer, address_out = 0x75286530	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetTempFileNameA, address_out = 0x752863f0	1	Fn
Module	Load	module_name = USER32.dll, base_address = 0x77150000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = wsprintfA, address_out = 0x7717ea00	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = CharUpperA, address_out = 0x771831c0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = FindWindowA, address_out = 0x77180980	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = wsprintfW, address_out = 0x7717ddf0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = MessageBoxA, address_out = 0x771ccf50	1	Fn
Module	Load	module_name = ADVAPI32.dll, base_address = 0x76a10000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = RegQueryValueExW, address_out = 0x76a2ed60	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = RegEnumKeyExA, address_out = 0x76a32520	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = RegOpenKeyW, address_out = 0x76a2f590	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = RegDeleteValueW, address_out = 0x76a30ca0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = ConvertStringSecurityDescriptorToSecurityDescriptorA, address_out = 0x76a5bda0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = RegSetValueExW, address_out = 0x76a2f0a0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = GetSidSubAuthorityCount, address_out = 0x76a30f50	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = GetSidSubAuthority, address_out = 0x76a30ea0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = OpenProcessToken, address_out = 0x76a2ee90	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = RegOpenKeyA, address_out = 0x76a331a0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = RegSetValueExA, address_out = 0x76a30750	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = RegCreateKeyA, address_out = 0x76a33150	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = GetTokenInformation, address_out = 0x76a2ed40	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = RegCloseKey, address_out = 0x76a2efa0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = RegQueryValueExA, address_out = 0x76a2ee40	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = RegOpenKeyExA, address_out = 0x76a2f000	1	Fn
Module	Load	module_name = SHELL32.dll, base_address = 0x75430000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\shell32.dll, function = ShellExecuteW, address_out = 0x755c4370	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\shell32.dll, function = ShellExecuteExW, address_out = 0x755c4cb0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\shell32.dll, function = 92, address_out = 0x756a7560	1	Fn
Module	Load	module_name = ole32.dll, base_address = 0x768b0000	1	Fn
Module	Get Address	module_name = Unknown module name, function = CoUninitialize, address_out = 0x76eadca0	1	Fn
Module	Get Address	module_name = Unknown module name, function = CoInitializeEx, address_out = 0x76eacd50	1	Fn

Thread 0xc24

Category	Operation	Information	Count	Logfile
Module	Get Handle	module_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, base_address = 0x400000	2	Fn
System	Get Computer Name	result_out = LHNIWSJ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion, value_name = InstallDate, data = 65	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\98F9CE91, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
System	Get Time	type = Ticks, time = 146703	1	Fn
System	Sleep	duration = 500 milliseconds (0.500 seconds)	10	Fn

Process #6: autoclb.exe

1514

Information	Value
ID	#6
File Name	c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe
Command Line	"C:\Users\CIiHmnxMn6Ps\AppData\Roaming\adsldraw\autoclb.exe"
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:02:06, Reason: Autostart
Unmonitor	End Time: 00:02:27, Reason: Self Terminated
Monitor Duration	00:00:21

OS Process Information

Information	Value
PID	0xb7c
Parent PID	0x824 (c:\windows\explorer.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 8B4 0x 574 0x 920 0x 808 0x 804 0x 4D0

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	rw	-
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	rw	-
private_0x0000000000020000	0x00020000	0x00023fff	Private Memory	rw	-
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	rw	-
private_0x0000000000030000	0x00030000	0x00030fff	Private Memory	rw	-
pagefile_0x0000000000040000	0x00040000	0x00053fff	Pagefile Backed Memory	r	-
private_0x0000000000060000	0x00060000	0x0009ffff	Private Memory	rw	-
private_0x0000000000060000	0x00060000	0x00060fff	Private Memory	rw	-
private_0x0000000000070000	0x00070000	0x00070fff	Private Memory	rw	-
private_0x0000000000080000	0x00080000	0x00080fff	Private Memory	rw	-
private_0x0000000000090000	0x00090000	0x00090fff	Private Memory	rw	-
private_0x00000000000a0000	0x000a0000	0x0019ffff	Private Memory	rw	-
private_0x00000000000a0000	0x000a0000	0x000a0fff	Private Memory	rw	-
private_0x00000000000b0000	0x000b0000	0x000b0fff	Private Memory	rw	-
private_0x00000000000c0000	0x000c0000	0x000c0fff	Private Memory	rw	-
private_0x00000000000d0000	0x000d0000	0x000d0fff	Private Memory	rw	-
private_0x00000000000e0000	0x000e0000	0x000e0fff	Private Memory	rw	-
private_0x00000000000f0000	0x000f0000	0x000f0fff	Private Memory	rw	-
private_0x0000000000100000	0x00100000	0x00100fff	Private Memory	rw	-
private_0x0000000000110000	0x00110000	0x00110fff	Private Memory	rw	-
private_0x0000000000120000	0x00120000	0x00120fff	Private Memory	rw	-
private_0x0000000000130000	0x00130000	0x00130fff	Private Memory	rw	-
private_0x0000000000140000	0x00140000	0x00140fff	Private Memory	rw	-
private_0x0000000000150000	0x00150000	0x00150fff	Private Memory	rw	-
private_0x0000000000160000	0x00160000	0x00160fff	Private Memory	rw	-
private_0x0000000000170000	0x00170000	0x00170fff	Private Memory	rw	-
private_0x0000000000180000	0x00180000	0x00180fff	Private Memory	rw	-
private_0x0000000000190000	0x00190000	0x00190fff	Private Memory	rw	-
pagefile_0x00000000001a0000	0x001a0000	0x001a3fff	Pagefile Backed Memory	r	-
pagefile_0x00000000001b0000	0x001b0000	0x001b0fff	Pagefile Backed Memory	r	-
private_0x00000000001c0000	0x001c0000	0x001c1fff	Private Memory	rw	-
locale.nls	0x001d0000	0x0028dfff	Memory Mapped File	r	-
private_0x0000000000290000	0x00290000	0x002cffff	Private Memory	rw	-
private_0x00000000002d0000	0x002d0000	0x002d0fff	Private Memory	rw	-
msvfw32.dll.mui	0x002e0000	0x002e1fff	Memory Mapped File	r	-
private_0x00000000002f0000	0x002f0000	0x002fffff	Private Memory	rw	-
private_0x0000000000300000	0x00300000	0x003fffff	Private Memory	rw	-
autoclb.exe	0x00400000	0x004d0fff	Memory Mapped File	rwx	... Region Actions Download Dump
private_0x00000000004e0000	0x004e0000	0x004e3fff	Private Memory	rw	-
pagefile_0x00000000004f0000	0x004f0000	0x004f1fff	Pagefile Backed Memory	r	-
private_0x0000000000500000	0x00500000	0x00500fff	Private Memory	rw	-
private_0x0000000000510000	0x00510000	0x0060ffff	Private Memory	rw	-
private_0x0000000000610000	0x00610000	0x0064ffff	Private Memory	rw	-
private_0x0000000000650000	0x00650000	0x0074ffff	Private Memory	rw	-
private_0x0000000000750000	0x00750000	0x0078ffff	Private Memory	rw	-
private_0x0000000000790000	0x00790000	0x0088ffff	Private Memory	rw	-
pagefile_0x0000000000890000	0x00890000	0x00a17fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000a20000	0x00a20000	0x00a21fff	Pagefile Backed Memory	r	-
private_0x0000000000a30000	0x00a30000	0x00aaffff	Private Memory	rw	-
private_0x0000000000a30000	0x00a30000	0x00a6ffff	Private Memory	rw	-
private_0x0000000000a70000	0x00a70000	0x00a70fff	Private Memory	rw	-
private_0x0000000000a80000	0x00a80000	0x00a80fff	Private Memory	rw	-
private_0x0000000000a90000	0x00a90000	0x00a90fff	Private Memory	rw	-
private_0x0000000000aa0000	0x00aa0000	0x00aaffff	Private Memory	rw	-
private_0x0000000000ab0000	0x00ab0000	0x00ab0fff	Private Memory	rw	-
private_0x0000000000ac0000	0x00ac0000	0x00ac0fff	Private Memory	rw	-
private_0x0000000000ad0000	0x00ad0000	0x00ad0fff	Private Memory	rw	-
private_0x0000000000ae0000	0x00ae0000	0x00ae0fff	Private Memory	rw	-
private_0x0000000000af0000	0x00af0000	0x00af0fff	Private Memory	rw	-
private_0x0000000000b00000	0x00b00000	0x00b00fff	Private Memory	rw	-
private_0x0000000000b10000	0x00b10000	0x00b10fff	Private Memory	rw	-
private_0x0000000000b20000	0x00b20000	0x00b2ffff	Private Memory	rw	-
private_0x0000000000b30000	0x00b30000	0x00b30fff	Private Memory	rw	-
private_0x0000000000b40000	0x00b40000	0x00b4ffff	Private Memory	rw	-
pagefile_0x0000000000b50000	0x00b50000	0x00cd0fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000ce0000	0x00ce0000	0x020dffff	Pagefile Backed Memory	r	-
sortdefault.nls	0x020e0000	0x02416fff	Memory Mapped File	r	-
private_0x0000000002420000	0x02420000	0x025fffff	Private Memory	rw	-
private_0x0000000002420000	0x02420000	0x0251ffff	Private Memory	rw	-
private_0x0000000002520000	0x02520000	0x02520fff	Private Memory	rw	-
private_0x0000000002530000	0x02530000	0x02530fff	Private Memory	rw	-
private_0x0000000002540000	0x02540000	0x02540fff	Private Memory	rw	-
private_0x0000000002550000	0x02550000	0x02550fff	Private Memory	rw	-
private_0x0000000002560000	0x02560000	0x02560fff	Private Memory	rw	-
private_0x0000000002570000	0x02570000	0x02570fff	Private Memory	rw	-
private_0x0000000002580000	0x02580000	0x02580fff	Private Memory	rw	-
private_0x0000000002590000	0x02590000	0x02590fff	Private Memory	rw	-
private_0x00000000025a0000	0x025a0000	0x025a0fff	Private Memory	rw	-
private_0x00000000025b0000	0x025b0000	0x025b0fff	Private Memory	rw	-
private_0x00000000025c0000	0x025c0000	0x025c0fff	Private Memory	rw	-
private_0x00000000025d0000	0x025d0000	0x025d0fff	Private Memory	rw	-
private_0x00000000025e0000	0x025e0000	0x025e0fff	Private Memory	rw	-
private_0x00000000025f0000	0x025f0000	0x025fffff	Private Memory	rw	-
private_0x0000000002600000	0x02600000	0x02600fff	Private Memory	rw	-
private_0x0000000002610000	0x02610000	0x02610fff	Private Memory	rw	-
private_0x0000000002620000	0x02620000	0x02620fff	Private Memory	rw	-
private_0x0000000002630000	0x02630000	0x02630fff	Private Memory	rw	-
private_0x0000000002640000	0x02640000	0x02640fff	Private Memory	rw	-
private_0x0000000002650000	0x02650000	0x02650fff	Private Memory	rw	-
private_0x0000000002660000	0x02660000	0x02660fff	Private Memory	rw	-
private_0x0000000002670000	0x02670000	0x02670fff	Private Memory	rw	-
wow64cpu.dll	0x58460000	0x58467fff	Memory Mapped File	rwx	-
wow64.dll	0x58470000	0x584befff	Memory Mapped File	rwx	-
wow64win.dll	0x584c0000	0x58532fff	Memory Mapped File	rwx	-
msvfw32.dll	0x739d0000	0x739f2fff	Memory Mapped File	rwx	-
comctl32.dll	0x73cf0000	0x73ef8fff	Memory Mapped File	rwx	-
glu32.dll	0x73f00000	0x73f24fff	Memory Mapped File	rwx	-
tapi32.dll	0x73f30000	0x73f63fff	Memory Mapped File	rwx	-
version.dll	0x73ff0000	0x73ff7fff	Memory Mapped File	rwx	-
iphlpapi.dll	0x74020000	0x7404ffff	Memory Mapped File	rwx	-
uxtheme.dll	0x74070000	0x740e4fff	Memory Mapped File	rwx	-
dciman32.dll	0x740f0000	0x740f6fff	Memory Mapped File	rwx	-
devobj.dll	0x74100000	0x74120fff	Memory Mapped File	rwx	-
winnsi.dll	0x74130000	0x74137fff	Memory Mapped File	rwx	-
ddraw.dll	0x74140000	0x7422afff	Memory Mapped File	rwx	-
winmmbase.dll	0x74230000	0x74252fff	Memory Mapped File	rwx	-
winmm.dll	0x74260000	0x74283fff	Memory Mapped File	rwx	-
opengl32.dll	0x74290000	0x7436ffff	Memory Mapped File	rwx	-
comctl32.dll	0x74370000	0x74401fff	Memory Mapped File	rwx	-
bcryptprimitives.dll	0x74410000	0x74468fff	Memory Mapped File	rwx	-
cryptbase.dll	0x74470000	0x74479fff	Memory Mapped File	rwx	-
sspicli.dll	0x74480000	0x7449dfff	Memory Mapped File	rwx	-
comdlg32.dll	0x744a0000	0x7455dfff	Memory Mapped File	rwx	-
shcore.dll	0x74570000	0x745fcfff	Memory Mapped File	rwx	-
kernelbase.dll	0x74600000	0x74775fff	Memory Mapped File	rwx	-
shlwapi.dll	0x747e0000	0x74823fff	Memory Mapped File	rwx	-
user32.dll	0x74920000	0x74a5ffff	Memory Mapped File	rwx	-
combase.dll	0x74cf0000	0x74ea9fff	Memory Mapped File	rwx	-
powrprof.dll	0x74eb0000	0x74ef3fff	Memory Mapped File	rwx	-
nsi.dll	0x74f00000	0x74f06fff	Memory Mapped File	rwx	-
imm32.dll	0x74f10000	0x74f3afff	Memory Mapped File	rwx	-
psapi.dll	0x74fe0000	0x74fe5fff	Memory Mapped File	rwx	-
msctf.dll	0x75040000	0x7515ffff	Memory Mapped File	rwx	-
kernel.appcore.dll	0x75160000	0x7516bfff	Memory Mapped File	rwx	-
msvcrt.dll	0x751d0000	0x7528dfff	Memory Mapped File	rwx	-
shell32.dll	0x75290000	0x7664efff	Memory Mapped File	rwx	-
rpcrt4.dll	0x767d0000	0x7687bfff	Memory Mapped File	rwx	-
windows.storage.dll	0x76880000	0x76d5cfff	Memory Mapped File	rwx	-
gdi32.dll	0x76d60000	0x76eacfff	Memory Mapped File	rwx	-
setupapi.dll	0x76eb0000	0x77054fff	Memory Mapped File	rwx	-
advapi32.dll	0x770c0000	0x7713afff	Memory Mapped File	rwx	-
cfgmgr32.dll	0x77140000	0x77175fff	Memory Mapped File	rwx	-
profapi.dll	0x77180000	0x7718efff	Memory Mapped File	rwx	-
sechost.dll	0x77190000	0x771d2fff	Memory Mapped File	rwx	-
kernel32.dll	0x77280000	0x7736ffff	Memory Mapped File	rwx	-
ntdll.dll	0x77370000	0x774e8fff	Memory Mapped File	rwx	-
private_0x000000007fe40000	0x7fe40000	0x7fe9ffff	Private Memory	rw	-
private_0x000000007feaa000	0x7feaa000	0x7feacfff	Private Memory	rw	-
private_0x000000007fead000	0x7fead000	0x7feaffff	Private Memory	rw	-
pagefile_0x000000007feb0000	0x7feb0000	0x7ffaffff	Pagefile Backed Memory	r	-
pagefile_0x000000007ffb0000	0x7ffb0000	0x7ffd2fff	Pagefile Backed Memory	r	-
private_0x000000007ffd5000	0x7ffd5000	0x7ffd7fff	Private Memory	rw	-
private_0x000000007ffd8000	0x7ffd8000	0x7ffdafff	Private Memory	rw	-
private_0x000000007ffdb000	0x7ffdb000	0x7ffddfff	Private Memory	rw	-
private_0x000000007ffde000	0x7ffde000	0x7ffdefff	Private Memory	rw	-
private_0x000000007ffdf000	0x7ffdf000	0x7ffdffff	Private Memory	rw	-
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	r	-
private_0x000000007fff0000	0x7fff0000	0x7ffb4817ffff	Private Memory	r	-
ntdll.dll	0x7ffb48180000	0x7ffb48341fff	Memory Mapped File	rwx	-
private_0x00007ffb48342000	0x7ffb48342000	0x7ffffffeffff	Private Memory	r	-
For performance reasons, the remaining 36 entries are omitted. The remaining entries can be found in flog.txt.

Threads

Thread 0x8b4

Category	Operation	Information	Count	Logfile
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x77280000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = FlsAlloc, address_out = 0x7729a330	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = FlsGetValue, address_out = 0x77297580	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = FlsSetValue, address_out = 0x77299910	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = FlsFree, address_out = 0x7729f400	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x77280000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x773cf190	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x77280000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x773cf190	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x77280000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x773cf190	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x77280000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x773cf190	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x77280000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x773cf190	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x77280000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x773cf190	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x77280000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x773cf190	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x77280000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DecodePointer, address_out = 0x773ca200	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x77280000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DecodePointer, address_out = 0x773ca200	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x77280000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x773cf190	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DecodePointer, address_out = 0x773ca200	1	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Open	filename = STD_ERROR_HANDLE	1	Fn
Environment	Get Environment String	-	1	Fn Data
Module	Get Filename	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\adsldraw\autoclb.exe, size = 260	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x77280000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = IsProcessorFeaturePresent, address_out = 0x77299680	1	Fn
Window	Create	window_name = FTP, class_name = fetches, wndproc_parameter = 0	1	Fn
Module	Get Handle	module_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, base_address = 0x400000	3	Fn

Thread 0x804

694

Category	Operation	Information	Count	Logfile
File	Read	filename = STD_ERROR_HANDLE, size = 0	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x77280000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DecodePointer, address_out = 0x773ca200	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x77280000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DecodePointer, address_out = 0x773ca200	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x77280000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x773cf190	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DecodePointer, address_out = 0x773ca200	1	Fn
System	Get Cursor	x_out = 821, y_out = 20	712	Fn
Module	Get Handle	module_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, base_address = 0x400000	12	Fn
System	Get Cursor	x_out = 821, y_out = 20	3	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
File	Write	size = 1	1	Fn
Debug	Print	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, type = DEBUG_STRING	1	Fn
System	Get Info	type = Operating System	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77370000	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x770c0000	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77370000	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x770c0000	1	Fn
Module	Get Handle	module_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, base_address = 0x400000	1	Fn
System	Get Time	type = System Time, time = 2018-10-24 19:45:56 (UTC)	1	Fn
Module	Load	module_name = ntdll.dll, base_address = 0x77370000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = memset, address_out = 0x773dee50	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = strstr, address_out = 0x773e0010	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = mbstowcs, address_out = 0x773de610	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = RtlNtStatusToDosError, address_out = 0x773c3010	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = memcpy, address_out = 0x773de7b0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = RtlGetVersion, address_out = 0x773cfcd0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = RtlUnwind, address_out = 0x773caca0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = ZwQueryInformationProcess, address_out = 0x773d8d50	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = NtQuerySystemInformation, address_out = 0x773d8f40	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = ZwOpenProcessToken, address_out = 0x773d9d20	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = ZwQueryInformationToken, address_out = 0x773d8df0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = ZwClose, address_out = 0x773d8cb0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = ZwOpenProcess, address_out = 0x773d8e40	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = NtUnmapViewOfSection, address_out = 0x773d8e80	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = NtMapViewOfSection, address_out = 0x773d8e60	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = NtCreateSection, address_out = 0x773d9080	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = RtlFreeUnicodeString, address_out = 0x773ab940	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = RtlUpcaseUnicodeString, address_out = 0x773be040	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = _aulldiv, address_out = 0x773dc680	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = NtQueryVirtualMemory, address_out = 0x773d8e10	1	Fn
Module	Load	module_name = SHLWAPI.dll, base_address = 0x747e0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\shlwapi.dll, function = StrStrIA, address_out = 0x747fcd10	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\shlwapi.dll, function = StrChrW, address_out = 0x747f6a00	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\shlwapi.dll, function = PathFindFileNameW, address_out = 0x747f80d0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\shlwapi.dll, function = PathCombineW, address_out = 0x747fcd50	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\shlwapi.dll, function = PathFindExtensionA, address_out = 0x74801db0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\shlwapi.dll, function = StrChrA, address_out = 0x748026c0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\shlwapi.dll, function = StrTrimW, address_out = 0x747f83a0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\shlwapi.dll, function = PathFindExtensionW, address_out = 0x747f7c40	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\shlwapi.dll, function = StrRChrA, address_out = 0x74802900	1	Fn
Module	Load	module_name = SETUPAPI.dll, base_address = 0x76eb0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\setupapi.dll, function = SetupDiGetDeviceRegistryPropertyA, address_out = 0x76f019a0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\setupapi.dll, function = SetupDiGetClassDevsA, address_out = 0x76ed8d10	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\setupapi.dll, function = SetupDiEnumDeviceInfo, address_out = 0x76ec5620	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\setupapi.dll, function = SetupDiDestroyDeviceInfoList, address_out = 0x76ec5340	1	Fn
Module	Load	module_name = KERNEL32.dll, base_address = 0x77280000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = HeapFree, address_out = 0x772925e0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetComputerNameA, address_out = 0x7729f4b0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = ExitProcess, address_out = 0x772a74f0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleHandleA, address_out = 0x77299640	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetCommandLineW, address_out = 0x7729a4b0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = ExitThread, address_out = 0x773d2570	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = CloseHandle, address_out = 0x772a5f20	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = CreateThread, address_out = 0x77299700	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = HeapDestroy, address_out = 0x7729d940	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = HeapCreate, address_out = 0x77299950	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = SetEvent, address_out = 0x772a60c0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = lstrcpyW, address_out = 0x772bd410	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = SetFileAttributesW, address_out = 0x772a6510	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = lstrlenW, address_out = 0x77292d80	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = lstrcpyA, address_out = 0x7729e320	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = SwitchToThread, address_out = 0x77299f30	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = SetEndOfFile, address_out = 0x772a64f0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = CreateEventA, address_out = 0x772a5f70	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = FlushFileBuffers, address_out = 0x772a62a0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetTempPathA, address_out = 0x772a6410	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetLastError, address_out = 0x77292db0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = FindNextFileA, address_out = 0x772a6270	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = HeapAlloc, address_out = 0x773ada90	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = lstrcmpiW, address_out = 0x77297540	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetProcAddress, address_out = 0x77297940	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = SetWaitableTimer, address_out = 0x772a60d0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetTickCount, address_out = 0x772a57f0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = lstrcatW, address_out = 0x772bd320	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = FindClose, address_out = 0x772a61d0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = CreateFileA, address_out = 0x772a6170	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = CompareFileTime, address_out = 0x772a6130	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = ResetEvent, address_out = 0x772a60b0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = WriteFile, address_out = 0x772a6590	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetFileTime, address_out = 0x772a6380	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = CreateProcessA, address_out = 0x772c0960	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = CreateDirectoryW, address_out = 0x772a6150	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x772a61b0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = CreateFileW, address_out = 0x772a6180	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = CreateWaitableTimerA, address_out = 0x7729db30	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = ResumeThread, address_out = 0x7729a280	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = SuspendThread, address_out = 0x7729ed00	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = lstrcmpA, address_out = 0x7729c1f0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = lstrcpynA, address_out = 0x7729f7b0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = LocalFree, address_out = 0x772987c0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = ExpandEnvironmentStringsA, address_out = 0x772c0da0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = Sleep, address_out = 0x772977b0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = lstrlenA, address_out = 0x772a3a30	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = lstrcatA, address_out = 0x7729efc0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = WaitForSingleObject, address_out = 0x772a6110	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = ReadFile, address_out = 0x772a64a0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = ExpandEnvironmentStringsW, address_out = 0x7729c8c0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = CreateDirectoryA, address_out = 0x772a6140	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = VirtualProtectEx, address_out = 0x772c2a00	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = FindFirstFileA, address_out = 0x772a6210	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleFileNameA, address_out = 0x7729a040	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleFileNameW, address_out = 0x77299560	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetFileSize, address_out = 0x772a6360	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = OpenProcess, address_out = 0x772992b0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = CreateRemoteThread, address_out = 0x772c0a00	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = VirtualAlloc, address_out = 0x77298b70	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = lstrcmpiA, address_out = 0x77297610	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = VirtualFree, address_out = 0x77298c70	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = SetLastError, address_out = 0x77292af0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentProcessId, address_out = 0x77291d90	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetVersion, address_out = 0x7729a300	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetLongPathNameW, address_out = 0x772947c0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = SetFilePointer, address_out = 0x772a6530	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetTempFileNameA, address_out = 0x772a63f0	1	Fn
Module	Load	module_name = USER32.dll, base_address = 0x74920000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = wsprintfA, address_out = 0x7494ea00	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = CharUpperA, address_out = 0x749531c0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = FindWindowA, address_out = 0x74950980	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = wsprintfW, address_out = 0x7494ddf0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = MessageBoxA, address_out = 0x7499cf50	1	Fn
Module	Load	module_name = ADVAPI32.dll, base_address = 0x770c0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = RegQueryValueExW, address_out = 0x770ded60	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = RegEnumKeyExA, address_out = 0x770e2520	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = RegOpenKeyW, address_out = 0x770df590	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = RegDeleteValueW, address_out = 0x770e0ca0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = ConvertStringSecurityDescriptorToSecurityDescriptorA, address_out = 0x7710bda0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = RegSetValueExW, address_out = 0x770df0a0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = GetSidSubAuthorityCount, address_out = 0x770e0f50	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = GetSidSubAuthority, address_out = 0x770e0ea0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = OpenProcessToken, address_out = 0x770dee90	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = RegOpenKeyA, address_out = 0x770e31a0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = RegSetValueExA, address_out = 0x770e0750	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = RegCreateKeyA, address_out = 0x770e3150	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = GetTokenInformation, address_out = 0x770ded40	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = RegCloseKey, address_out = 0x770defa0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = RegQueryValueExA, address_out = 0x770dee40	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = RegOpenKeyExA, address_out = 0x770df000	1	Fn
Module	Load	module_name = SHELL32.dll, base_address = 0x75290000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\shell32.dll, function = ShellExecuteW, address_out = 0x75424370	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\shell32.dll, function = ShellExecuteExW, address_out = 0x75424cb0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\shell32.dll, function = 92, address_out = 0x75507560	1	Fn
Module	Load	module_name = ole32.dll, base_address = 0x74a60000	1	Fn
Module	Get Address	module_name = Unknown module name, function = CoUninitialize, address_out = 0x74d5dca0	1	Fn
Module	Get Address	module_name = Unknown module name, function = CoInitializeEx, address_out = 0x74d5cd50	1	Fn

Thread 0x4d0

100

Category	Operation	Information	Count	Logfile
Module	Get Handle	module_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, base_address = 0x400000	2	Fn
System	Get Computer Name	result_out = LHNIWSJ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion, value_name = InstallDate, data = 65	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\98F9CE91, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
System	Get Time	type = Ticks, time = 52828	1	Fn
System	Sleep	duration = 500 milliseconds (0.500 seconds)	10	Fn
System	Get Info	type = Operating System	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x77280000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = IsWow64Process, address_out = 0x772996e0	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\user32.dll, base_address = 0x74920000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = GetWindowThreadProcessId, address_out = 0x7493ba70	1	Fn
Window	Find	class_name = ProgMan	1	Fn
Process	Open	desired_access = PROCESS_QUERY_INFORMATION	1	Fn
File	Create	filename = C:\Windows\system32\c_1252.nls, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\system32\c_1252.nls, type = time	1	Fn
File	Create	filename = C:\Windows\system32\c_1252.nls, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\system32\c_1252.nls, type = time	1	Fn
File	Create	filename = C:\Windows\system32\c_1252.nls, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\system32\c_1252.nls, type = time	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77370000	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run, value_name = cabilipc, data = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\adsldraw\autoclb.exe, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_USERS	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_USERS	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_USERS	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_USERS	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_USERS	1	Fn
Registry	Open Key	reg_name = HKEY_USERS\S-1-5-21-1462094071-1423818996-289466292-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders	1	Fn
Registry	Read Value	reg_name = HKEY_USERS\S-1-5-21-1462094071-1423818996-289466292-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, value_name = AppData, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_USERS\S-1-5-21-1462094071-1423818996-289466292-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, value_name = AppData, data = C:\Users\CIiHmnxMn6Ps\AppData\Roaming, type = REG_SZ	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\adsldraw	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\user32.dll, base_address = 0x74920000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = GetWindowThreadProcessId, address_out = 0x7493ba70	1	Fn
Window	Find	class_name = ProgMan	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_SET_SESSIONID, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_DUP_HANDLE, PROCESS_CREATE_PROCESS, PROCESS_SET_QUOTA, PROCESS_SET_INFORMATION, PROCESS_QUERY_INFORMATION, PROCESS_SUSPEND_RESUME, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x77280000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = Wow64EnableWow64FsRedirection, address_out = 0x772bb6a0	1	Fn
Process	Create	process_name = C:\Windows\system32\svchost.exe, os_pid = 0x534, creation_flags = CREATE_SUSPENDED, CREATE_DEFAULT_ERROR_MODE, show_window = SW_HIDE	1	Fn
System	Get Info	type = Operating System	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77370000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = ZwWow64QueryInformationProcess64, address_out = 0x773da840	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77370000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = ZwWow64ReadVirtualMemory64, address_out = 0x773da860	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77370000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = ZwWow64QueryInformationProcess64, address_out = 0x773da840	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77370000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = ZwWow64QueryInformationProcess64, address_out = 0x773da840	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77370000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = ZwWow64QueryInformationProcess64, address_out = 0x773da840	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77370000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = ZwWow64QueryInformationProcess64, address_out = 0x773da840	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77370000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = ZwWow64QueryInformationProcess64, address_out = 0x773da840	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77370000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = ZwWow64QueryInformationProcess64, address_out = 0x773da840	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77370000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = ZwWow64QueryInformationProcess64, address_out = 0x773da840	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77370000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = ZwWow64QueryInformationProcess64, address_out = 0x773da840	1	Fn
Thread	Resume	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, os_tid = 0x4d0	1	Fn
System	Sleep	duration = 100 milliseconds (0.100 seconds)	1	Fn
Thread	Suspend	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, os_tid = 0x4d0	1	Fn
Thread	Get Context	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, os_tid = 0x4d0	1	Fn
Module	Create Mapping	protection = PAGE_EXECUTE_READWRITE, maximum_size = 44692952	1	Fn
Module	Map	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x2f70000	1	Fn
Module	Map	process_name = C:\Windows\system32\svchost.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0xfd0000	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77370000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = ZwWow64QueryInformationProcess64, address_out = 0x773da840	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77370000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = ZwWow64QueryInformationProcess64, address_out = 0x773da840	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77370000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = ZwWow64QueryInformationProcess64, address_out = 0x773da840	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77370000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = ZwWow64QueryInformationProcess64, address_out = 0x773da840	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77370000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = ZwWow64QueryInformationProcess64, address_out = 0x773da840	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77370000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = ZwWow64QueryInformationProcess64, address_out = 0x773da840	1	Fn
Thread	Get Context	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, os_tid = 0x4d0	1	Fn
Memory	Write	process_name = C:\Windows\system32\svchost.exe, address = 0x1110000, size = 792	1	Fn Data
Thread	Set Context	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, os_tid = 0x4d0	1	Fn
Memory	Protect	process_name = C:\Windows\system32\svchost.exe, address = 0x7ff7e54b3440, protection = PAGE_EXECUTE_READWRITE, size = 44692984	1	Fn
Memory	Write	process_name = C:\Windows\system32\svchost.exe, address = 0x7ff7e54b3440, size = 4	1	Fn Data
Memory	Protect	process_name = C:\Windows\system32\svchost.exe, address = 0x7ff7e54b3000, protection = PAGE_EXECUTE_READ, size = 44692984	1	Fn
Thread	Resume	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, os_tid = 0x4d0	1	Fn

Process #7: svchost.exe

314

Information	Value
ID	#7
File Name	c:\windows\system32\svchost.exe
Command Line	C:\Windows\system32\svchost.exe
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:02:25, Reason: Child Process
Unmonitor	End Time: 00:02:29, Reason: Self Terminated
Monitor Duration	00:00:04

OS Process Information

Information	Value
PID	0x534
Parent PID	0xb7c (c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 554 0x 428 0x 7C4 0x 7F8

Region

Name	Start VA	End VA	Type	Permissions	Actions
pagefile_0x0000000000fd0000	0x00fd0000	0x01102fff	Pagefile Backed Memory	rwx	-
private_0x0000000001110000	0x01110000	0x01110fff	Private Memory	rwx	-
private_0x000000007f06c000	0x7f06c000	0x7f06cfff	Private Memory	rw	-
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	r	-
private_0x000000e86afd0000	0xe86afd0000	0xe86afeffff	Private Memory	rw	-
pagefile_0x000000e86afd0000	0xe86afd0000	0xe86afdffff	Pagefile Backed Memory	rw	-
svchost.exe.mui	0xe86afe0000	0xe86afe0fff	Memory Mapped File	r	-
pagefile_0x000000e86aff0000	0xe86aff0000	0xe86b003fff	Pagefile Backed Memory	r	-
private_0x000000e86b010000	0xe86b010000	0xe86b08ffff	Private Memory	rw	-
pagefile_0x000000e86b090000	0xe86b090000	0xe86b093fff	Pagefile Backed Memory	r	-
pagefile_0x000000e86b0a0000	0xe86b0a0000	0xe86b0a0fff	Pagefile Backed Memory	r	-
private_0x000000e86b0b0000	0xe86b0b0000	0xe86b0b1fff	Private Memory	rw	-
locale.nls	0xe86b0c0000	0xe86b17dfff	Memory Mapped File	r	-
private_0x000000e86b180000	0xe86b180000	0xe86b1fffff	Private Memory	rw	-
private_0x000000e86b200000	0xe86b200000	0xe86b21cfff	Private Memory	rw	-
private_0x000000e86b200000	0xe86b200000	0xe86b200fff	Private Memory	rw	-
private_0x000000e86b210000	0xe86b210000	0xe86b21cfff	Private Memory	rw	-
private_0x000000e86b220000	0xe86b220000	0xe86b220fff	Private Memory	rw	-
msvfw32.dll.mui	0xe86b230000	0xe86b231fff	Memory Mapped File	r	-
private_0x000000e86b240000	0xe86b240000	0xe86b246fff	Private Memory	rw	-
imm32.dll	0xe86b250000	0xe86b283fff	Memory Mapped File	r	-
private_0x000000e86b250000	0xe86b250000	0xe86b26cfff	Private Memory	rw	-
private_0x000000e86b300000	0xe86b300000	0xe86b3fffff	Private Memory	rw	-
private_0x000000e86b400000	0xe86b400000	0xe86b5fffff	Private Memory	rw	-
private_0x000000e86b400000	0xe86b400000	0xe86b4fffff	Private Memory	rw	-
pagefile_0x000000e86b500000	0xe86b500000	0xe86b687fff	Pagefile Backed Memory	r	-
pagefile_0x000000e86b690000	0xe86b690000	0xe86b810fff	Pagefile Backed Memory	r	-
pagefile_0x000000e86b820000	0xe86b820000	0xe86cc1ffff	Pagefile Backed Memory	r	-
private_0x000000e86cc20000	0xe86cc20000	0xe86cdfcfff	Private Memory	rw	-
oleaut32.dll	0xe86cc20000	0xe86ccdcfff	Memory Mapped File	r	-
pagefile_0x000000e86cc20000	0xe86cc20000	0xe86cd52fff	Pagefile Backed Memory	rwx	-
private_0x000000e86cdf0000	0xe86cdf0000	0xe86cdfcfff	Private Memory	rw	-
private_0x000000e86ce00000	0xe86ce00000	0xe86cffffff	Private Memory	rw	-
private_0x000000e86ce00000	0xe86ce00000	0xe86cefffff	Private Memory	rw	-
private_0x000000e86cf00000	0xe86cf00000	0xe86d0fffff	Private Memory	rw	-
private_0x000000e86cf00000	0xe86cf00000	0xe86cffffff	Private Memory	rw	-
private_0x000000e86d000000	0xe86d000000	0xe86d1fffff	Private Memory	rw	-
private_0x000000e86d000000	0xe86d000000	0xe86d0fffff	Private Memory	rw	-
private_0x000000e86d100000	0xe86d100000	0xe86d2fffff	Private Memory	rw	-
private_0x000000e86d100000	0xe86d100000	0xe86d1fffff	Private Memory	rw	-
private_0x000000e86d200000	0xe86d200000	0xe86d3fffff	Private Memory	rw	-
private_0x000000e86d200000	0xe86d200000	0xe86d2fffff	Private Memory	rw	-
sortdefault.nls	0xe86d300000	0xe86d636fff	Memory Mapped File	r	-
pagefile_0x00007df5ff9c0000	0x7df5ff9c0000	0x7ff5ff9bffff	Pagefile Backed Memory	-	-
pagefile_0x00007ff7e4a60000	0x7ff7e4a60000	0x7ff7e4b5ffff	Pagefile Backed Memory	r	-
pagefile_0x00007ff7e4b60000	0x7ff7e4b60000	0x7ff7e4b82fff	Pagefile Backed Memory	r	-
private_0x00007ff7e4b89000	0x7ff7e4b89000	0x7ff7e4b89fff	Private Memory	rw	-
private_0x00007ff7e4b8c000	0x7ff7e4b8c000	0x7ff7e4b8dfff	Private Memory	rw	-
private_0x00007ff7e4b8e000	0x7ff7e4b8e000	0x7ff7e4b8ffff	Private Memory	rw	-
svchost.exe	0x7ff7e54b0000	0x7ff7e54bcfff	Memory Mapped File	rwx	-
winmmbase.dll	0x7ffb35990000	0x7ffb359bbfff	Memory Mapped File	rwx	-
winmm.dll	0x7ffb359c0000	0x7ffb359e2fff	Memory Mapped File	rwx	-
comctl32.dll	0x7ffb36120000	0x7ffb361c9fff	Memory Mapped File	rwx	-
msvfw32.dll	0x7ffb3cec0000	0x7ffb3cee8fff	Memory Mapped File	rwx	-
msacm32.dll	0x7ffb40a30000	0x7ffb40a4bfff	Memory Mapped File	rwx	-
avifil32.dll	0x7ffb40a50000	0x7ffb40a6ffff	Memory Mapped File	rwx	-
devobj.dll	0x7ffb43520000	0x7ffb43546fff	Memory Mapped File	rwx	-
sspicli.dll	0x7ffb447d0000	0x7ffb447fbfff	Memory Mapped File	rwx	-
powrprof.dll	0x7ffb44bb0000	0x7ffb44bf9fff	Memory Mapped File	rwx	-
profapi.dll	0x7ffb44c00000	0x7ffb44c12fff	Memory Mapped File	rwx	-
kernel.appcore.dll	0x7ffb44c20000	0x7ffb44c2efff	Memory Mapped File	rwx	-
cfgmgr32.dll	0x7ffb44c50000	0x7ffb44c93fff	Memory Mapped File	rwx	-
windows.storage.dll	0x7ffb44d50000	0x7ffb45377fff	Memory Mapped File	rwx	-
shcore.dll	0x7ffb455b0000	0x7ffb45662fff	Memory Mapped File	rwx	-
kernelbase.dll	0x7ffb45670000	0x7ffb4584cfff	Memory Mapped File	rwx	-
ole32.dll	0x7ffb45900000	0x7ffb45a40fff	Memory Mapped File	rwx	-
sechost.dll	0x7ffb45ac0000	0x7ffb45b1afff	Memory Mapped File	rwx	-
rpcrt4.dll	0x7ffb45b20000	0x7ffb45c45fff	Memory Mapped File	rwx	-
user32.dll	0x7ffb45c50000	0x7ffb45d9dfff	Memory Mapped File	rwx	-
kernel32.dll	0x7ffb45e10000	0x7ffb45ebcfff	Memory Mapped File	rwx	-
imm32.dll	0x7ffb46070000	0x7ffb460a5fff	Memory Mapped File	rwx	-
psapi.dll	0x7ffb460b0000	0x7ffb460b7fff	Memory Mapped File	rwx	-
gdi32.dll	0x7ffb460c0000	0x7ffb46244fff	Memory Mapped File	rwx	-
shlwapi.dll	0x7ffb46250000	0x7ffb462a0fff	Memory Mapped File	rwx	-
msctf.dll	0x7ffb462d0000	0x7ffb4642bfff	Memory Mapped File	rwx	-
combase.dll	0x7ffb46610000	0x7ffb4688bfff	Memory Mapped File	rwx	-
shell32.dll	0x7ffb46890000	0x7ffb47db4fff	Memory Mapped File	rwx	-
advapi32.dll	0x7ffb47e30000	0x7ffb47ed5fff	Memory Mapped File	rwx	-
msvcrt.dll	0x7ffb48000000	0x7ffb4809cfff	Memory Mapped File	rwx	-
ntdll.dll	0x7ffb48180000	0x7ffb48341fff	Memory Mapped File	rwx	-

Hook Information

Type	Installer	Target	Size	Information	Actions
Code	pagefile_0x0000000000fd0000:+0x28dce	advapi32.dll:Wow64RedirectKeyPathInternal+0x3fa	8 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	pagefile_0x0000000000fd0000:+0x28dd2	advapi32.dll:Wow64RedirectKeyPathInternal+0x3f4	2 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	pagefile_0x0000000000fd0000:+0x28dce	kernel32.dll:AslpImageRvaToVa+0x1fe	8 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	pagefile_0x0000000000fd0000:+0x28dd2	kernel32.dll:AslpImageRvaToVa+0x1f8	2 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	pagefile_0x0000000000fd0000:+0x28dce	kernel32.dll:AslpImageRvaToVa+0x20c	8 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	pagefile_0x0000000000fd0000:+0x28dd2	kernel32.dll:AslpImageRvaToVa+0x206	2 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	pagefile_0x0000000000fd0000:+0x28dce	kernel32.dll:AslpImageRvaToVa+0x21a	8 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	pagefile_0x0000000000fd0000:+0x28dd2	kernel32.dll:AslpImageRvaToVa+0x214	2 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
IAT	pagefile_0x0000000000fd0000:+0x289b5	261. entry of msctf.dll	4 bytes	kernel32.dll:CreateProcessW+0x0 now points to pagefile_0x0000000000fd0000:+0x315b0	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x0000000000fd0000:+0x289b5	133. entry of msvcrt.dll	4 bytes	kernel32.dll:CreateProcessA+0x0 now points to pagefile_0x0000000000fd0000:+0x316b8	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x0000000000fd0000:+0x289b5	134. entry of msvcrt.dll	4 bytes	kernel32.dll:CreateProcessW+0x0 now points to pagefile_0x0000000000fd0000:+0x315b0	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x0000000000fd0000:+0x289b5	230. entry of user32.dll	4 bytes	kernel32.dll:CreateProcessW+0x0 now points to pagefile_0x0000000000fd0000:+0x315b0	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x0000000000fd0000:+0x289b5	517. entry of ole32.dll	4 bytes	kernel32.dll:CreateProcessW+0x0 now points to pagefile_0x0000000000fd0000:+0x315b0	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x0000000000fd0000:+0x289b5	638. entry of shell32.dll	4 bytes	kernel32.dll:CreateProcessAsUserW+0x0 now points to pagefile_0x0000000000fd0000:+0x318ec	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x0000000000fd0000:+0x289b5	631. entry of shell32.dll	4 bytes	kernel32.dll:CreateProcessW+0x0 now points to pagefile_0x0000000000fd0000:+0x315b0	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x0000000000fd0000:+0x289b5	236. entry of windows.storage.dll	4 bytes	kernel32.dll:CreateProcessW+0x0 now points to pagefile_0x0000000000fd0000:+0x315b0	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x0000000000fd0000:+0x289b5	215. entry of windows.storage.dll	4 bytes	kernel32.dll:CreateProcessAsUserW+0x0 now points to pagefile_0x0000000000fd0000:+0x318ec	... Actions Go to Installer Region Go to Target Region

Injection Information

Injection Type	Source Process	Source Os Thread ID	Information	Count	Logfile
Modify Memory	#6: c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe	0x4d0	address = 0xfd0000, size = 1257472	1	Fn
Modify Memory	#6: c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe	0x4d0	address = 0x1110000, size = 792	1	Fn Data
Modify Control Flow	#6: c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe	0x4d0	os_tid = 0x554, address = 0xe4b89000	1	Fn
Modify Memory	#6: c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe	0x4d0	address = 0x7ff7e54b3440, size = 4	1	Fn Data

Threads

Thread 0x554

313

Category	Operation	Information	Count	Logfile
Module	Load	module_name = ntdll.dll, base_address = 0x0	1	Fn
Module	Get Address	function = NtCreateSection, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = NtUnmapViewOfSection, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = NtMapViewOfSection, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = ZwOpenProcessToken, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = ZwClose, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = ZwQueryInformationToken, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = ZwOpenProcess, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = NtQuerySystemInformation, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = RtlNtStatusToDosError, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = ZwQueryInformationProcess, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = RtlImageDirectoryEntryToData, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = _wcsupr, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = _strupr, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = memmove, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = bsearch, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = _vsnwprintf, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = _strlwr, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = atoi, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = strstr, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = wcscpy, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = ZwQueryKey, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = RtlUpcaseUnicodeString, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = RtlFreeUnicodeString, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = sprintf, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = _snprintf, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = memset, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = memcpy, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = strcpy, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = RtlAdjustPrivilege, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = mbstowcs, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = RtlImageNtHeader, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = memcmp, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = __C_specific_handler, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = __chkstk, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Load	module_name = KERNEL32.dll, base_address = 0x0	1	Fn
Module	Get Address	function = GetLocalTime, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = OpenProcess, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = VirtualQueryEx, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = CreateRemoteThread, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = GetModuleFileNameW, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = GetVersion, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = SetEndOfFile, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = RemoveDirectoryW, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = GetTempFileNameA, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = DeleteCriticalSection, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = VirtualAlloc, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = VirtualProtect, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = CloseHandle, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = WriteProcessMemory, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = CreateFileA, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = lstrcmpiA, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = GetModuleFileNameA, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = LoadLibraryA, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = GetCurrentProcess, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = lstrcmpA, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = GetModuleHandleA, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = CreateFileMappingA, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = MapViewOfFile, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = Sleep, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = UnmapViewOfFile, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = GlobalLock, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = lstrlenA, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = GlobalAlloc, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = GlobalUnlock, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = HeapAlloc, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = lstrcpyA, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = GetLastError, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = HeapFree, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = RemoveDirectoryA, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = DeleteFileA, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = lstrcatA, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = WriteFile, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = CreateDirectoryA, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = HeapDestroy, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = HeapCreate, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = SetEvent, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = HeapReAlloc, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = GetTickCount, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = FindNextFileW, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = CopyFileW, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = SetWaitableTimer, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = LocalAlloc, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = GetCurrentThread, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = GetCurrentThreadId, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = lstrlenW, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = GetSystemTimeAsFileTime, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = CreateEventA, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = GetWindowsDirectoryA, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = DeleteFileW, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = CreateDirectoryW, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = CreateWaitableTimerA, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = GetTempPathA, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = FindFirstFileW, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = LocalFree, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = TerminateProcess, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = SuspendThread, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = WaitForMultipleObjects, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = ResumeThread, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = lstrcpyW, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = FileTimeToSystemTime, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = CreateThread, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = CreateFileW, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = ResetEvent, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = SwitchToThread, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = lstrcatW, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = CreateProcessW, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = GetFileSize, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = GetFileAttributesW, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = ExpandEnvironmentStringsW, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = WideCharToMultiByte, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = LeaveCriticalSection, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = SetLastError, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = EnterCriticalSection, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = GetComputerNameA, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = CreateMutexA, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = OpenWaitableTimerA, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = OpenMutexA, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = GetVolumeInformationA, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = WaitForSingleObject, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = ReleaseMutex, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = GetComputerNameW, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = InitializeCriticalSection, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = LoadLibraryExW, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = GetProcAddress, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = VirtualFree, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = GetLogicalDriveStringsW, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = GetFileAttributesA, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = OpenFileMappingA, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = GetExitCodeProcess, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = CreateProcessA, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = lstrcpynA, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = LocalReAlloc, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = TlsAlloc, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = TlsGetValue, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = TlsSetValue, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = LoadLibraryW, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = GetVersionExW, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = FreeLibrary, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = ReadFile, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = SetFilePointer, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = Thread32First, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = QueueUserAPC, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = CreateToolhelp32Snapshot, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = OpenThread, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = Thread32Next, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = FindFirstFileA, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = FindNextFileA, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = ConnectNamedPipe, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = GetOverlappedResult, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = CancelIo, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = DisconnectNamedPipe, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = FlushFileBuffers, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = CallNamedPipeA, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = CreateNamedPipeA, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = GetSystemTime, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = WaitNamedPipeA, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = GetCurrentProcessId, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = SleepEx, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = RemoveVectoredExceptionHandler, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = AddVectoredExceptionHandler, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = OpenEventA, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = lstrcmpiW, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = RaiseException, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = GetSystemInfo, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = Process32NextW, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = Process32FirstW, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = QueueUserWorkItem, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = FileTimeToLocalFileTime, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = FindClose, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = GetDriveTypeW, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = VirtualProtectEx, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Load	module_name = AVIFIL32.dll, base_address = 0x0	1	Fn
Module	Get Address	function = AVIStreamRelease, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = AVIStreamWrite, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = AVIFileOpenA, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = AVIFileCreateStreamA, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = AVIStreamSetFormat, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = AVIFileExit, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = AVIFileInit, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = AVIMakeCompressedStream, ordinal = 0, address_out = 0xe86b08f910	1	Fn
Module	Get Address	function = AVIFileRelease, ordinal = 0, address_out = 0xe86b08f910	1	Fn
System	Get Time	type = Ticks, time = 60437	1	Fn
Module	Get Handle	module_name = c:\windows\system32\svchost.exe, base_address = 0x7ff7e54b0000	1	Fn
System	Get Info	type = Operating System	1	Fn
Module	Get Filename	module_name = AVIFIL32.dll, process_name = c:\windows\system32\svchost.exe, file_name_orig = C:\Windows\system32\svchost.exe, size = 260	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x7ffb45e10000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = IsWow64Process, address_out = 0x7ffb45e2e960	1	Fn
Module	Load	module_name = ADVAPI32.dll, base_address = 0x7ffb47e30000	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = ConvertStringSecurityDescriptorToSecurityDescriptorA, address_out = 0x7ffb47e4d610	1	Fn
Module	Load	module_name = SHLWAPI.dll, base_address = 0x7ffb46250000	1	Fn
Module	Get Address	module_name = c:\windows\system32\shlwapi.dll, function = StrRChrA, address_out = 0x7ffb46264dd0	1	Fn
Module	Load	module_name = USER32.dll, base_address = 0x7ffb45c50000	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = wsprintfA, address_out = 0x7ffb45c72610	1	Fn
Mutex	Create	mutex_name = {0A7B8D95-E12E-CCFA-BBDE-A5C01FF2A9F4}	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegOpenKeyA, address_out = 0x7ffb47e4b9e0	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegQueryValueExA, address_out = 0x7ffb47e47dd0	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530, value_name = Ini, type = REG_NONE	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegCloseKey, address_out = 0x7ffb47e472e0	1	Fn
Module	Get Address	module_name = c:\windows\system32\shlwapi.dll, function = StrToIntExA, address_out = 0x7ffb46264e70	1	Fn
Module	Get Address	module_name = c:\windows\system32\shlwapi.dll, function = StrChrA, address_out = 0x7ffb46264cc0	1	Fn
Module	Get Address	module_name = c:\windows\system32\shlwapi.dll, function = StrTrimA, address_out = 0x7ffb46264e80	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x7ffb45e10000	1	Fn
Module	Get Handle	module_name = c:\windows\system32\ntdll.dll, base_address = 0x7ffb48180000	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernelbase.dll, base_address = 0x7ffb45670000	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = GetUserNameA, address_out = 0x7ffb47e5ec40	1	Fn
Module	Get Handle	module_name = c:\windows\system32\ntdll.dll, base_address = 0x7ffb48180000	1	Fn
Module	Get Handle	module_name = c:\windows\system32\advapi32.dll, base_address = 0x7ffb47e30000	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x7ffb45e10000	1	Fn
Process	Get Info	type = PROCESS_BASIC_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x7ffb45e10000	1	Fn
Process	Get Info	type = PROCESS_BASIC_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x7ffb45e10000	1	Fn
Process	Get Info	type = PROCESS_BASIC_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\advapi32.dll, base_address = 0x7ffb47e30000	1	Fn
Process	Get Info	type = PROCESS_BASIC_INFORMATION	1	Fn
Module	Load	module_name = PSAPI.DLL, base_address = 0x7ffb460b0000	1	Fn
Module	Get Address	module_name = c:\windows\system32\psapi.dll, function = EnumProcessModules, address_out = 0x7ffb460b1040	1	Fn
Process	Get Info	type = PROCESS_BASIC_INFORMATION	30	Fn
Module	Get Filename	module_name = AVIFIL32.dll, process_name = c:\windows\system32\svchost.exe, file_name_orig = C:\Windows\system32\svchost.exe, size = 260	1	Fn
Module	Get Address	module_name = c:\windows\system32\shlwapi.dll, function = StrStrIW, address_out = 0x7ffb4625b260	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetShellWindow, address_out = 0x7ffb45c74060	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetWindowThreadProcessId, address_out = 0x7ffb45c64040	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_SET_SESSIONID, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_DUP_HANDLE, PROCESS_CREATE_PROCESS, PROCESS_SET_QUOTA, PROCESS_SET_INFORMATION, PROCESS_QUERY_INFORMATION, PROCESS_SUSPEND_RESUME, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE	1	Fn
Module	Get Handle	module_name = c:\windows\system32\ntdll.dll, base_address = 0x7ffb48180000	1	Fn
Module	Get Address	module_name = c:\windows\system32\ntdll.dll, function = RtlExitUserThread, address_out = 0x7ffb48189fa0	1	Fn
Thread	Create	process_name = c:\windows\explorer.exe, proc_address = 0x7ffb48189fa0, proc_parameter = 0, flags = THREAD_CREATE_SUSPENDED	1	Fn
Memory	Read	process_name = c:\windows\explorer.exe, address = 0x7ffb48189fa0, size = 4	1	Fn Data
Memory	Protect	process_name = c:\windows\explorer.exe, address = 0x7ffb48189fa0, protection = PAGE_EXECUTE_READWRITE, size = 4	1	Fn
Memory	Write	process_name = c:\windows\explorer.exe, address = 0x7ffb48189fa0, size = 4	1	Fn Data
Memory	Protect	process_name = c:\windows\explorer.exe, address = 0x7ffb48189fa0, protection = PAGE_EXECUTE_READ, size = 4	1	Fn
Thread	Resume	process_name = c:\windows\explorer.exe, os_tid = 0x2e0	1	Fn
System	Sleep	duration = 100 milliseconds (0.100 seconds)	1	Fn
Thread	Suspend	process_name = c:\windows\explorer.exe, os_tid = 0x2e0	1	Fn
Thread	Get Context	process_name = c:\windows\explorer.exe, os_tid = 0x2e0	1	Fn
Module	Create Mapping	protection = PAGE_EXECUTE_READWRITE, maximum_size = 998228160576	1	Fn
Module	Map	process_name = c:\windows\system32\svchost.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0xe86cc20000	1	Fn
Module	Map	process_name = c:\windows\explorer.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0xcaf0000	1	Fn
Module	Get Handle	module_name = c:\windows\system32\ntdll.dll, base_address = 0x7ffb48180000	1	Fn
Module	Get Filename	module_name = c:\windows\system32\ntdll.dll, process_name = c:\windows\system32\svchost.exe, file_name_orig = C:\Windows\SYSTEM32\ntdll.dll, size = 260	1	Fn
File	Create	filename = C:\Windows\SYSTEM32\ntdll.dll, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
File	Read	filename = C:\Windows\SYSTEM32\ntdll.dll, size = 4, size_out = 4	1	Fn Data
Module	Get Filename	module_name = c:\windows\system32\ntdll.dll, process_name = c:\windows\system32\svchost.exe, file_name_orig = C:\Windows\SYSTEM32\ntdll.dll, size = 260	1	Fn
File	Create	filename = C:\Windows\SYSTEM32\ntdll.dll, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
File	Read	filename = C:\Windows\SYSTEM32\ntdll.dll, size = 4, size_out = 4	1	Fn Data
Module	Get Filename	module_name = c:\windows\system32\ntdll.dll, process_name = c:\windows\system32\svchost.exe, file_name_orig = C:\Windows\SYSTEM32\ntdll.dll, size = 260	1	Fn
File	Create	filename = C:\Windows\SYSTEM32\ntdll.dll, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
File	Read	filename = C:\Windows\SYSTEM32\ntdll.dll, size = 4, size_out = 4	1	Fn Data
Memory	Allocate	process_name = c:\windows\explorer.exe, address = 0xe86b08eaa0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 998228159144	1	Fn
Thread	Get Context	process_name = c:\windows\explorer.exe, os_tid = 0x2e0	1	Fn
Memory	Write	process_name = c:\windows\explorer.exe, address = 0x5ad0000, size = 792	1	Fn Data
Thread	Set Context	process_name = c:\windows\explorer.exe, os_tid = 0x2e0	1	Fn
Module	Unmap	process_name = c:\windows\system32\svchost.exe	1	Fn
Memory	Protect	process_name = c:\windows\explorer.exe, address = 0x7ffb48189fa0, protection = PAGE_EXECUTE_READWRITE, size = 4	1	Fn
Memory	Write	process_name = c:\windows\explorer.exe, address = 0x7ffb48189fa0, size = 4	1	Fn Data
Memory	Protect	process_name = c:\windows\explorer.exe, address = 0x7ffb48189fa0, protection = PAGE_EXECUTE_READ, size = 4	1	Fn
Thread	Resume	process_name = c:\windows\explorer.exe, os_tid = 0x2e0	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegCreateKeyA, address_out = 0x7ffb47e76dc0	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530, value_name = Client, data = 232, type = REG_NONE	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = GetUserNameW, address_out = 0x7ffb47e4da40	1	Fn
System	Get Computer Name	-	1	Fn
System	Get Computer Name	result_out = LHNIWSJ	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegSetValueExA, address_out = 0x7ffb47e32680	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530, value_name = Client, size = 40, type = REG_BINARY	1	Fn Data
System	Get Computer Name	result_out = LHNIWSJ	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegOpenKeyExA, address_out = 0x7ffb47e47d70	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion, value_name = ProductID, data = 48	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion, value_name = ProductName, data = 87	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion, value_name = CurrentVersion, data = 54	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion, value_name = InstallDate, data = 65	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530, value_name = Scr, type = REG_NONE	1	Fn

Process #8: explorer.exe

6221

Information	Value
ID	#8
File Name	c:\windows\explorer.exe
Command Line	C:\Windows\Explorer.EXE
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:02:27, Reason: Injection
Unmonitor	End Time: 00:04:27, Reason: Terminated by Timeout
Monitor Duration	00:02:00

OS Process Information

Information	Value
PID	0x824
Parent PID	0x80c (c:\windows\system32\userinit.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 548 0x B34 0x A40 0x BB0 0x BA4 0x B98 0x B90 0x B84 0x B68 0x B64 0x B48 0x B3C 0x B38 0x B30 0x B2C 0x B28 0x B18 0x B0C 0x B08 0x AF0 0x 9F4 0x 974 0x 970 0x 964 0x 95C 0x 954 0x 938 0x 92C 0x 924 0x 91C 0x 918 0x 914 0x 90C 0x 908 0x 904 0x 900 0x 8FC 0x 8F8 0x 8F4 0x 8EC 0x 8E8 0x 8E4 0x 8DC 0x 8C4 0x 8A0 0x 884 0x 880 0x 87C 0x 878 0x 874 0x 870 0x 86C 0x 864 0x 860 0x 85C 0x 858 0x 854 0x 850 0x 84C 0x 840 0x 83C 0x 838 0x 834 0x 82C 0x 828 0x 2E0 0x 7FC 0x 42C 0x 7D8 0x 7C0 0x BE0 0x 558 0x A3C 0x 2DC 0x 540 0x BBC 0x 44C 0x 618 0x 4B8 0x 84 0x 7C8 0x BF0

Region

Name	Start VA	End VA	Type	Permissions	Actions
pagefile_0x0000000000fa0000	0x00fa0000	0x00faffff	Pagefile Backed Memory	rw	-
private_0x0000000000fb0000	0x00fb0000	0x00fb6fff	Private Memory	rw	-
pagefile_0x0000000000fc0000	0x00fc0000	0x00fd3fff	Pagefile Backed Memory	r	-
private_0x0000000000fe0000	0x00fe0000	0x0105ffff	Private Memory	rw	-
pagefile_0x0000000001060000	0x01060000	0x01063fff	Pagefile Backed Memory	r	-
pagefile_0x0000000001070000	0x01070000	0x01072fff	Pagefile Backed Memory	r	-
private_0x0000000001080000	0x01080000	0x01081fff	Private Memory	rw	-
private_0x0000000001090000	0x01090000	0x01096fff	Private Memory	rw	-
private_0x00000000010a0000	0x010a0000	0x0119ffff	Private Memory	rw	-
locale.nls	0x011a0000	0x0125dfff	Memory Mapped File	r	-
private_0x0000000001260000	0x01260000	0x012dffff	Private Memory	rw	-
explorer.exe.mui	0x012e0000	0x012e7fff	Memory Mapped File	r	-
private_0x00000000012f0000	0x012f0000	0x012f0fff	Private Memory	rw	-
private_0x0000000001300000	0x01300000	0x01300fff	Private Memory	rw	-
pagefile_0x0000000001310000	0x01310000	0x01310fff	Pagefile Backed Memory	rw	-
pagefile_0x0000000001320000	0x01320000	0x01320fff	Pagefile Backed Memory	rw	-
pagefile_0x0000000001330000	0x01330000	0x01330fff	Pagefile Backed Memory	r	-
pagefile_0x0000000001340000	0x01340000	0x01340fff	Pagefile Backed Memory	r	-
pagefile_0x0000000001350000	0x01350000	0x01350fff	Pagefile Backed Memory	rw	-
{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x000000000000001d.db	0x01360000	0x01373fff	Memory Mapped File	r	-
cversions.1.db	0x01380000	0x01383fff	Memory Mapped File	r	-
{3da71d5a-20cc-432f-a115-dfe92379e91f}.1.ver0x0000000000000036.db	0x01390000	0x013abfff	Memory Mapped File	r	-
pagefile_0x00000000013b0000	0x013b0000	0x013b2fff	Pagefile Backed Memory	r	-
pagefile_0x00000000013c0000	0x013c0000	0x013c2fff	Pagefile Backed Memory	r	-
private_0x00000000013d0000	0x013d0000	0x013dffff	Private Memory	rw	-
pagefile_0x00000000013e0000	0x013e0000	0x01409fff	Pagefile Backed Memory	rw	-
private_0x0000000001410000	0x01410000	0x0141ffff	Private Memory	rw	-
pagefile_0x0000000001420000	0x01420000	0x015a7fff	Pagefile Backed Memory	r	-
pagefile_0x00000000015b0000	0x015b0000	0x01730fff	Pagefile Backed Memory	r	-
pagefile_0x0000000001740000	0x01740000	0x02b3ffff	Pagefile Backed Memory	r	-
sortdefault.nls	0x02b40000	0x02e76fff	Memory Mapped File	r	-
private_0x0000000002e80000	0x02e80000	0x02efffff	Private Memory	rw	-
6581.bin	0x02e90000	0x02e90fff	Memory Mapped File	r	... Region Actions Download Dump
private_0x0000000002f00000	0x02f00000	0x02f7ffff	Private Memory	rw	-
private_0x0000000002f80000	0x02f80000	0x02ffffff	Private Memory	rw	-
private_0x0000000003000000	0x03000000	0x0307ffff	Private Memory	rw	-
shell32.dll.mui	0x03080000	0x030e0fff	Memory Mapped File	r	-
kernelbase.dll.mui	0x030f0000	0x031cefff	Memory Mapped File	r	-
private_0x00000000031d0000	0x031d0000	0x0324ffff	Private Memory	rw	-
private_0x0000000003250000	0x03250000	0x032cffff	Private Memory	rw	-
private_0x00000000032d0000	0x032d0000	0x0334ffff	Private Memory	rw	-
pagefile_0x0000000003350000	0x03350000	0x03351fff	Pagefile Backed Memory	r	-
pagefile_0x0000000003360000	0x03360000	0x03361fff	Pagefile Backed Memory	r	-
oleaccrc.dll	0x03370000	0x03371fff	Memory Mapped File	r	-
oleaccrc.dll.mui	0x03380000	0x03384fff	Memory Mapped File	r	-
pagefile_0x0000000003390000	0x03390000	0x03447fff	Pagefile Backed Memory	r	-
pagefile_0x0000000003450000	0x03450000	0x03453fff	Pagefile Backed Memory	r	-
private_0x0000000003460000	0x03460000	0x0355ffff	Private Memory	rw	-
private_0x0000000003560000	0x03560000	0x0365ffff	Private Memory	rw	-
private_0x0000000003660000	0x03660000	0x03660fff	Private Memory	rw	-
staticcache.dat	0x03670000	0x046affff	Memory Mapped File	r	-
private_0x00000000046b0000	0x046b0000	0x046b6fff	Private Memory	rw	-
private_0x00000000046c0000	0x046c0000	0x046c0fff	Private Memory	rw	-
private_0x00000000046d0000	0x046d0000	0x046d0fff	Private Memory	rw	-
private_0x00000000046e0000	0x046e0000	0x046e0fff	Private Memory	rw	-
private_0x00000000046f0000	0x046f0000	0x0476ffff	Private Memory	rw	-
private_0x0000000004770000	0x04770000	0x04771fff	Private Memory	rw	-
private_0x0000000004780000	0x04780000	0x04780fff	Private Memory	rw	-
private_0x0000000004790000	0x04790000	0x04790fff	Private Memory	rw	-
private_0x00000000047a0000	0x047a0000	0x047a0fff	Private Memory	rw	-
pagefile_0x00000000047b0000	0x047b0000	0x047b2fff	Pagefile Backed Memory	r	-
cversions.1.db	0x047c0000	0x047c3fff	Memory Mapped File	r	-
private_0x00000000047d0000	0x047d0000	0x047d0fff	Private Memory	rw	-
pagefile_0x00000000047e0000	0x047e0000	0x047e0fff	Pagefile Backed Memory	rw	-
private_0x00000000047f0000	0x047f0000	0x047f0fff	Private Memory	rw	-
pagefile_0x0000000004800000	0x04800000	0x04802fff	Pagefile Backed Memory	r	-
pagefile_0x0000000004810000	0x04810000	0x04848fff	Pagefile Backed Memory	rw	-
pagefile_0x0000000004850000	0x04850000	0x04852fff	Pagefile Backed Memory	r	-
private_0x0000000004860000	0x04860000	0x04860fff	Private Memory	rw	-
private_0x0000000004870000	0x04870000	0x04870fff	Private Memory	rw	-
cversions.2.db	0x04880000	0x04883fff	Memory Mapped File	r	-
stobject.dll.mui	0x04890000	0x04891fff	Memory Mapped File	r	-
pagefile_0x00000000048a0000	0x048a0000	0x048a2fff	Pagefile Backed Memory	r	-
inputswitch.dll.mui	0x048b0000	0x048b1fff	Memory Mapped File	r	-
private_0x00000000048c0000	0x048c0000	0x048c0fff	Private Memory	rw	-
pagefile_0x00000000048d0000	0x048d0000	0x048d2fff	Pagefile Backed Memory	r	-
pagefile_0x00000000048e0000	0x048e0000	0x048e1fff	Pagefile Backed Memory	r	-
sndvolsso.dll.mui	0x048f0000	0x048f1fff	Memory Mapped File	r	-
pagefile_0x0000000004900000	0x04900000	0x04902fff	Pagefile Backed Memory	r	-
cversions.2.db	0x04910000	0x04913fff	Memory Mapped File	r	-
{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000000f.db	0x04920000	0x04962fff	Memory Mapped File	r	-
cversions.2.db	0x04970000	0x04973fff	Memory Mapped File	r	-
{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db	0x04980000	0x04a0afff	Memory Mapped File	r	-
propsys.dll.mui	0x04a10000	0x04a20fff	Memory Mapped File	r	-
private_0x0000000004a30000	0x04a30000	0x04aaffff	Private Memory	rw	-
private_0x0000000004ab0000	0x04ab0000	0x04b2ffff	Private Memory	rw	-
private_0x0000000004b30000	0x04b30000	0x04baffff	Private Memory	rw	-
private_0x0000000004bb0000	0x04bb0000	0x04bb0fff	Private Memory	rw	-
private_0x0000000004bc0000	0x04bc0000	0x04c3ffff	Private Memory	rw	-
private_0x0000000004c40000	0x04c40000	0x04cbffff	Private Memory	rw	-
private_0x0000000004cc0000	0x04cc0000	0x04d3ffff	Private Memory	rw	-
private_0x0000000004d40000	0x04d40000	0x04dbffff	Private Memory	rw	-
private_0x0000000004dc0000	0x04dc0000	0x055bffff	Private Memory	-	-
pagefile_0x00000000055c0000	0x055c0000	0x05ab1fff	Pagefile Backed Memory	rw	-
private_0x0000000005ac0000	0x05ac0000	0x05ac0fff	Private Memory	rw	-
counters.dat	0x05b80000	0x05b80fff	Memory Mapped File	rw	... Region Actions Download Dump
winnlsres.dll	0x05bd0000	0x05bd4fff	Memory Mapped File	r	-
private_0x0000000005be0000	0x05be0000	0x05c5ffff	Private Memory	rw	-
private_0x0000000005c60000	0x05c60000	0x05cdffff	Private Memory	rw	-
private_0x0000000005ce0000	0x05ce0000	0x05d5ffff	Private Memory	rw	-
private_0x0000000005d60000	0x05d60000	0x05ddffff	Private Memory	rw	-
private_0x0000000005de0000	0x05de0000	0x05e5ffff	Private Memory	rw	-
private_0x0000000005e60000	0x05e60000	0x05edffff	Private Memory	rw	-
private_0x0000000005ee0000	0x05ee0000	0x05f5ffff	Private Memory	rw	-
pagefile_0x0000000005f60000	0x05f60000	0x05f60fff	Pagefile Backed Memory	rw	-
private_0x0000000005f70000	0x05f70000	0x05f70fff	Private Memory	rw	-
private_0x0000000005f80000	0x05f80000	0x05f80fff	Private Memory	rw	-
winnlsres.dll.mui	0x05f90000	0x05f9ffff	Memory Mapped File	r	-
private_0x0000000005fa0000	0x05fa0000	0x05fadfff	Private Memory	rw	-
mswsock.dll.mui	0x05fb0000	0x05fb2fff	Memory Mapped File	r	-
pagefile_0x0000000005fc0000	0x05fc0000	0x05fc2fff	Pagefile Backed Memory	r	-
private_0x0000000005fd0000	0x05fd0000	0x060cffff	Private Memory	rw	-
pagefile_0x00000000060d0000	0x060d0000	0x060d2fff	Pagefile Backed Memory	r	-
windows.storage.dll.mui	0x060e0000	0x060e7fff	Memory Mapped File	r	-
pnidui.dll.mui	0x060f0000	0x060f1fff	Memory Mapped File	r	-
pagefile_0x0000000006100000	0x06100000	0x06102fff	Pagefile Backed Memory	r	-
private_0x0000000006110000	0x06110000	0x06118fff	Private Memory	rw	-
private_0x0000000006120000	0x06120000	0x06123fff	Private Memory	rw	-
thumbcache_idx.db	0x06130000	0x06131fff	Memory Mapped File	rw	-
netmsg.dll	0x06140000	0x06140fff	Memory Mapped File	r	-
private_0x0000000006150000	0x06150000	0x06158fff	Private Memory	rw	-
private_0x0000000006160000	0x06160000	0x06160fff	Private Memory	rw	-
private_0x0000000006170000	0x06170000	0x0626ffff	Private Memory	rw	-
pagefile_0x0000000006270000	0x06270000	0x06272fff	Pagefile Backed Memory	r	-
thumbcache_idx.db	0x06280000	0x06281fff	Memory Mapped File	rw	-
iconcache_idx.db	0x06290000	0x06291fff	Memory Mapped File	rw	-
bthprops.cpl.mui	0x062a0000	0x062a3fff	Memory Mapped File	r	-
private_0x00000000062b0000	0x062b0000	0x062b0fff	Private Memory	rw	-
pagefile_0x00000000062c0000	0x062c0000	0x062c0fff	Pagefile Backed Memory	rw	-
private_0x00000000062d0000	0x062d0000	0x06317fff	Private Memory	rw	-
thumbcache_48.db	0x06320000	0x0641ffff	Memory Mapped File	rw	-
netmsg.dll.mui	0x06420000	0x06451fff	Memory Mapped File	r	-
imageres.dll.mui	0x06460000	0x06460fff	Memory Mapped File	r	-
thumbcache_idx.db	0x06470000	0x06471fff	Memory Mapped File	rw	-
iconcache_idx.db	0x06480000	0x06481fff	Memory Mapped File	rw	-
pagefile_0x0000000006490000	0x06490000	0x06492fff	Pagefile Backed Memory	r	-
private_0x00000000064a0000	0x064a0000	0x064a0fff	Private Memory	rw	-
imageres.dll	0x064b0000	0x090c2fff	Memory Mapped File	r	-
private_0x00000000090d0000	0x090d0000	0x0914ffff	Private Memory	rw	-
iconcache_idx.db	0x09150000	0x09151fff	Memory Mapped File	rw	-
iconcache_48.db	0x09160000	0x0925ffff	Memory Mapped File	rw	-
thumbcache_48.db	0x09260000	0x0935ffff	Memory Mapped File	rw	-
iconcache_48.db	0x09360000	0x0945ffff	Memory Mapped File	rw	-
private_0x0000000009460000	0x09460000	0x094dffff	Private Memory	rw	-
private_0x00000000094e0000	0x094e0000	0x0955ffff	Private Memory	rw	-
pagefile_0x0000000009560000	0x09560000	0x09561fff	Pagefile Backed Memory	r	-
private_0x0000000009570000	0x09570000	0x09570fff	Private Memory	rw	-
private_0x0000000009580000	0x09580000	0x095ebfff	Private Memory	rw	-
thumbcache_idx.db	0x095f0000	0x095f1fff	Memory Mapped File	rw	-
private_0x0000000009600000	0x09600000	0x0967ffff	Private Memory	rw	-
private_0x0000000009680000	0x09680000	0x096c7fff	Private Memory	rw	-
thumbcache_idx.db	0x096d0000	0x096d1fff	Memory Mapped File	rw	-
For performance reasons, the remaining 376 entries are omitted. The remaining entries can be found in flog.txt.

Hook Information

Type	Installer	Target	Size	Information	Actions
Code	pagefile_0x000000000caf0000:+0x28dce	kernel32.dll:AslpImageRvaToVa+0x1fe	8 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	pagefile_0x000000000caf0000:+0x28dd2	kernel32.dll:AslpImageRvaToVa+0x1f8	2 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	pagefile_0x000000000caf0000:+0x28dce	kernel32.dll:AslpImageRvaToVa+0x20c	8 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	pagefile_0x000000000caf0000:+0x28dd2	kernel32.dll:AslpImageRvaToVa+0x206	2 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	pagefile_0x000000000caf0000:+0x28dce	kernel32.dll:AslpImageRvaToVa+0x21a	8 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	pagefile_0x000000000caf0000:+0x28dd2	kernel32.dll:AslpImageRvaToVa+0x214	2 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	pagefile_0x000000000caf0000:+0x28dce	advapi32.dll:Wow64RedirectKeyPathInternal+0x3fa	8 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	pagefile_0x000000000caf0000:+0x28dd2	advapi32.dll:Wow64RedirectKeyPathInternal+0x3f4	2 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	pagefile_0x000000000caf0000:+0x28dce	advapi32.dll:Wow64RedirectKeyPathInternal+0x408	8 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	pagefile_0x000000000caf0000:+0x28dd2	advapi32.dll:Wow64RedirectKeyPathInternal+0x402	2 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	pagefile_0x000000000caf0000:+0x28dce	kernelbase.dll:ActivatorUpdateForIsRouterChanges+0x146	8 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	pagefile_0x000000000caf0000:+0x28dd2	kernelbase.dll:ActivatorUpdateForIsRouterChanges+0x140	2 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
IAT	pagefile_0x000000000caf0000:+0x289b5	155. entry of windows.ui.shell.dll	4 bytes	kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x000000000caf0000:+0x289b5	282. entry of stobject.dll	4 bytes	kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x000000000caf0000:+0x289b5	268. entry of stobject.dll	4 bytes	kernel32.dll:CreateProcessW+0x0 now points to pagefile_0x000000000caf0000:+0x315b0	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x000000000caf0000:+0x289b5	81. entry of winmmbase.dll	4 bytes	kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x000000000caf0000:+0x289b5	110. entry of winmm.dll	4 bytes	kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x000000000caf0000:+0x289b5	147. entry of wlidprov.dll	4 bytes	kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x000000000caf0000:+0x289b5	112. entry of abovelockapphost.dll	4 bytes	kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x000000000caf0000:+0x289b5	121. entry of windows.networking.connectivity.dll	4 bytes	kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x000000000caf0000:+0x289b5	99. entry of notificationcontroller.dll	4 bytes	kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x000000000caf0000:+0x289b5	116. entry of wpncore.dll	4 bytes	kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x000000000caf0000:+0x289b5	68. entry of provsvc.dll	4 bytes	kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x000000000caf0000:+0x289b5	9. entry of filesyncshell64.dll	4 bytes	advapi32.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x000000000caf0000:+0x289b5	101. entry of filesyncshell64.dll	4 bytes	kernel32.dll:CreateProcessW+0x0 now points to pagefile_0x000000000caf0000:+0x315b0	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x000000000caf0000:+0x289b5	121. entry of thumbcache.dll	4 bytes	kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x000000000caf0000:+0x289b5	283. entry of ntshrui.dll	4 bytes	kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x000000000caf0000:+0x289b5	240. entry of applicationframe.dll	4 bytes	kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x000000000caf0000:+0x289b5	153. entry of twinui.appcore.dll	4 bytes	kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x000000000caf0000:+0x289b5	100. entry of windows.immersiveshell.serviceprovider.dll	4 bytes	kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x000000000caf0000:+0x289b5	530. entry of twinui.dll	4 bytes	kernel32.dll:CreateProcessAsUserW+0x0 now points to pagefile_0x000000000caf0000:+0x318ec	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x000000000caf0000:+0x289b5	570. entry of twinui.dll	4 bytes	kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x000000000caf0000:+0x289b5	681. entry of explorerframe.dll	4 bytes	kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x000000000caf0000:+0x289b5	112. entry of sndvolsso.dll	4 bytes	kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x000000000caf0000:+0x289b5	104. entry of sndvolsso.dll	4 bytes	kernel32.dll:CreateProcessW+0x0 now points to pagefile_0x000000000caf0000:+0x315b0	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x000000000caf0000:+0x289b5	116. entry of twinapi.dll	4 bytes	kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x000000000caf0000:+0x289b5	68. entry of wldp.dll	4 bytes	kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x000000000caf0000:+0x289b5	47. entry of settingsyncpolicy.dll	4 bytes	kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x000000000caf0000:+0x289b5	79. entry of profext.dll	4 bytes	kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x000000000caf0000:+0x289b5	98. entry of tokenbroker.dll	4 bytes	kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x000000000caf0000:+0x289b5	85. entry of tokenbroker.dll	4 bytes	kernel32.dll:CreateProcessAsUserW+0x0 now points to pagefile_0x000000000caf0000:+0x318ec	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x000000000caf0000:+0x289b5	98. entry of settingsynccore.dll	4 bytes	kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x000000000caf0000:+0x289b5	110. entry of coreuicomponents.dll	4 bytes	kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x000000000caf0000:+0x289b5	56. entry of wlanapi.dll	4 bytes	kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x000000000caf0000:+0x289b5	69. entry of webio.dll	4 bytes	kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x000000000caf0000:+0x289b5	235. entry of hgcpl.dll	4 bytes	kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x000000000caf0000:+0x289b5	56. entry of shacct.dll	4 bytes	kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x000000000caf0000:+0x289b5	39. entry of networkstatus.dll	4 bytes	kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x000000000caf0000:+0x289b5	160. entry of inputswitch.dll	4 bytes	kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x000000000caf0000:+0x289b5	154. entry of wininet.dll	4 bytes	kernel32.dll:CreateProcessW+0x0 now points to pagefile_0x000000000caf0000:+0x315b0	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x000000000caf0000:+0x289b5	166. entry of wininet.dll	4 bytes	kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x000000000caf0000:+0x289b5	187. entry of urlmon.dll	4 bytes	kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x000000000caf0000:+0x289b5	166. entry of urlmon.dll	4 bytes	kernel32.dll:CreateProcessA+0x0 now points to pagefile_0x000000000caf0000:+0x316b8	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x000000000caf0000:+0x289b5	489. entry of comctl32.dll	4 bytes	kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x000000000caf0000:+0x289b5	51. entry of msi.dll	4 bytes	advapi32.dll:CreateProcessAsUserW+0x0 now points to pagefile_0x000000000caf0000:+0x318ec	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x000000000caf0000:+0x289b5	93. entry of winhttp.dll	4 bytes	kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x000000000caf0000:+0x289b5	30. entry of samlib.dll	4 bytes	kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x000000000caf0000:+0x289b5	84. entry of policymanager.dll	4 bytes	kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x000000000caf0000:+0x289b5	82. entry of mfplat.dll	4 bytes	kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x000000000caf0000:+0x289b5	116. entry of ucrtbase.dll	4 bytes	kernel32.dll:CreateProcessW+0x0 now points to pagefile_0x000000000caf0000:+0x315b0	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x000000000caf0000:+0x289b5	117. entry of ucrtbase.dll	4 bytes	kernel32.dll:CreateProcessA+0x0 now points to pagefile_0x000000000caf0000:+0x316b8	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x000000000caf0000:+0x289b5	55. entry of d2d1.dll	4 bytes	kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x000000000caf0000:+0x289b5	236. entry of windows.ui.immersive.dll	4 bytes	kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x000000000caf0000:+0x289b5	206. entry of windows.ui.immersive.dll	4 bytes	kernel32.dll:CreateProcessAsUserW+0x0 now points to pagefile_0x000000000caf0000:+0x318ec	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x000000000caf0000:+0x289b5	115. entry of iertutil.dll	4 bytes	kernel32.dll:CreateProcessAsUserW+0x0 now points to pagefile_0x000000000caf0000:+0x318ec	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x000000000caf0000:+0x289b5	126. entry of iertutil.dll	4 bytes	kernel32.dll:CreateProcessW+0x0 now points to pagefile_0x000000000caf0000:+0x315b0	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x000000000caf0000:+0x289b5	143. entry of iertutil.dll	4 bytes	kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x000000000caf0000:+0x289b5	135. entry of mrmcorer.dll	4 bytes	kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x000000000caf0000:+0x289b5	236. entry of srchadmin.dll	4 bytes	kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x000000000caf0000:+0x289b5	62. entry of dhcpcsvc.dll	4 bytes	kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x000000000caf0000:+0x289b5	229. entry of propsys.dll	4 bytes	kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x000000000caf0000:+0x289b5	87. entry of mmdevapi.dll	4 bytes	kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x000000000caf0000:+0x289b5	129. entry of es.dll	4 bytes	kernel32.dll:CreateProcessW+0x0 now points to pagefile_0x000000000caf0000:+0x315b0	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x000000000caf0000:+0x289b5	154. entry of es.dll	4 bytes	kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x000000000caf0000:+0x289b5	103. entry of dxgi.dll	4 bytes	kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x000000000caf0000:+0x289b5	71. entry of d3d11.dll	4 bytes	kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x000000000caf0000:+0x289b5	91. entry of dwmapi.dll	4 bytes	kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x000000000caf0000:+0x289b5	39. entry of ninput.dll	4 bytes	kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x000000000caf0000:+0x289b5	54. entry of bcp47langs.dll	4 bytes	kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x000000000caf0000:+0x289b5	92. entry of settingmonitor.dll	4 bytes	kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x000000000caf0000:+0x289b5	61. entry of apphelp.dll	4 bytes	kernel32.dll:CreateProcessW+0x0 now points to pagefile_0x000000000caf0000:+0x315b0	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x000000000caf0000:+0x289b5	307. entry of uxtheme.dll	4 bytes	kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x000000000caf0000:+0x289b5	126. entry of twinapi.appcore.dll	4 bytes	kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x000000000caf0000:+0x289b5	39. entry of rmclient.dll	4 bytes	kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x000000000caf0000:+0x289b5	93. entry of userenv.dll	4 bytes	kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x000000000caf0000:+0x289b5	124. entry of dnsapi.dll	4 bytes	kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x000000000caf0000:+0x289b5	50. entry of powrprof.dll	4 bytes	kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x000000000caf0000:+0x289b5	64. entry of profapi.dll	4 bytes	kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x000000000caf0000:+0x289b5	89. entry of cfgmgr32.dll	4 bytes	kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x000000000caf0000:+0x289b5	236. entry of windows.storage.dll	4 bytes	kernel32.dll:CreateProcessW+0x0 now points to pagefile_0x000000000caf0000:+0x315b0	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x000000000caf0000:+0x289b5	245. entry of windows.storage.dll	4 bytes	kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x000000000caf0000:+0x289b5	215. entry of windows.storage.dll	4 bytes	kernel32.dll:CreateProcessAsUserW+0x0 now points to pagefile_0x000000000caf0000:+0x318ec	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x000000000caf0000:+0x289b5	113. entry of shcore.dll	4 bytes	kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x000000000caf0000:+0x289b5	85. entry of clbcatq.dll	4 bytes	kernel32.dll:CreateProcessW+0x0 now points to pagefile_0x000000000caf0000:+0x315b0	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x000000000caf0000:+0x289b5	88. entry of clbcatq.dll	4 bytes	kernel32.dll:CreateProcessAsUserW+0x0 now points to pagefile_0x000000000caf0000:+0x318ec	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x000000000caf0000:+0x289b5	517. entry of ole32.dll	4 bytes	kernel32.dll:CreateProcessW+0x0 now points to pagefile_0x000000000caf0000:+0x315b0	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x000000000caf0000:+0x289b5	550. entry of ole32.dll	4 bytes	kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x000000000caf0000:+0x289b5	79. entry of rpcrt4.dll	4 bytes	kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x000000000caf0000:+0x289b5	230. entry of user32.dll	4 bytes	kernel32.dll:CreateProcessW+0x0 now points to pagefile_0x000000000caf0000:+0x315b0	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x000000000caf0000:+0x289b5	240. entry of user32.dll	4 bytes	kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x000000000caf0000:+0x289b5	177. entry of shlwapi.dll	4 bytes	kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x000000000caf0000:+0x289b5	261. entry of msctf.dll	4 bytes	kernel32.dll:CreateProcessW+0x0 now points to pagefile_0x000000000caf0000:+0x315b0	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x000000000caf0000:+0x289b5	185. entry of setupapi.dll	4 bytes	kernel32.dll:CreateProcessAsUserW+0x0 now points to pagefile_0x000000000caf0000:+0x318ec	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x000000000caf0000:+0x289b5	174. entry of setupapi.dll	4 bytes	kernel32.dll:CreateProcessW+0x0 now points to pagefile_0x000000000caf0000:+0x315b0	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x000000000caf0000:+0x289b5	220. entry of combase.dll	4 bytes	kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x000000000caf0000:+0x289b5	668. entry of shell32.dll	4 bytes	kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x000000000caf0000:+0x289b5	638. entry of shell32.dll	4 bytes	kernel32.dll:CreateProcessAsUserW+0x0 now points to pagefile_0x000000000caf0000:+0x318ec	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x000000000caf0000:+0x289b5	631. entry of shell32.dll	4 bytes	kernel32.dll:CreateProcessW+0x0 now points to pagefile_0x000000000caf0000:+0x315b0	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x000000000caf0000:+0x289b5	41. entry of wldap32.dll	4 bytes	kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x000000000caf0000:+0x289b5	199. entry of advapi32.dll	4 bytes	kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x000000000caf0000:+0x289b5	116. entry of oleaut32.dll	4 bytes	kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x000000000caf0000:+0x289b5	133. entry of msvcrt.dll	4 bytes	kernel32.dll:CreateProcessA+0x0 now points to pagefile_0x000000000caf0000:+0x316b8	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x000000000caf0000:+0x289b5	134. entry of msvcrt.dll	4 bytes	kernel32.dll:CreateProcessW+0x0 now points to pagefile_0x000000000caf0000:+0x315b0	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x000000000caf0000:+0x289b5	789. entry of explorer.exe	4 bytes	kernel32.dll:CreateProcessW+0x0 now points to pagefile_0x000000000caf0000:+0x315b0	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x000000000caf0000:+0x289b5	808. entry of explorer.exe	4 bytes	kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x000000000caf0000:+0x289b5	134. entry of pnidui.dll	4 bytes	kernel32.dll:CreateProcessW+0x0 now points to pagefile_0x000000000caf0000:+0x315b0	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x000000000caf0000:+0x289b5	142. entry of pnidui.dll	4 bytes	kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x000000000caf0000:+0x289b5	277. entry of authui.dll	4 bytes	kernel32.dll:CreateProcessW+0x0 now points to pagefile_0x000000000caf0000:+0x315b0	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x000000000caf0000:+0x289b5	302. entry of authui.dll	4 bytes	kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x000000000caf0000:+0x289b5	271. entry of authui.dll	4 bytes	kernel32.dll:CreateProcessAsUserW+0x0 now points to pagefile_0x000000000caf0000:+0x318ec	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x000000000caf0000:+0x289b5	154. entry of audioses.dll	4 bytes	kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x000000000caf0000:+0x289b5	139. entry of actioncenter.dll	4 bytes	kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x000000000caf0000:+0x289b5	2. entry of syncreg.dll	4 bytes	advapi32.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x000000000caf0000:+0x289b5	187. entry of shdocvw.dll	4 bytes	kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x000000000caf0000:+0x289b5	91. entry of winspool.drv	4 bytes	kernel32.dll:CreateProcessW+0x0 now points to pagefile_0x000000000caf0000:+0x315b0	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x000000000caf0000:+0x289b5	84. entry of winspool.drv	4 bytes	kernel32.dll:CreateProcessAsUserW+0x0 now points to pagefile_0x000000000caf0000:+0x318ec	... Actions Go to Installer Region Go to Target Region

Injection Information

Injection Type	Source Process	Source Os Thread ID	Information	Count	Logfile
Create Remote Thread	#7: c:\windows\system32\svchost.exe	0x554	address = 0x7ffb48189fa0	1	Fn
Modify Memory	#7: c:\windows\system32\svchost.exe	0x554	address = 0x7ffb48189fa0, size = 4	2	Fn Data
Modify Memory	#7: c:\windows\system32\svchost.exe	0x554	address = 0xcaf0000, size = 1257472	1	Fn
Modify Memory	#7: c:\windows\system32\svchost.exe	0x554	address = 0x5ad0000, size = 792	1	Fn Data
Modify Control Flow	#7: c:\windows\system32\svchost.exe	0x554	os_tid = 0x2e0, address = 0x0	1	Fn

Created Files

Filename	File Size	Hash Values	Actions
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\9XACNSYG.txt	0.65 KB	MD5: d0129961ebfe50fa6ca75d21eb61e3a4 SHA1: d27b99f26b21b15b3596543c71dc9c90bcda9b19 SHA256: e806c3f694373d51d383c0c751000397134ae24b0ed1ebea86022e84acde3d90 SSDeep: 12:Sx7DM959MgXARZuYuDM862BXTOXGyPgfdYdpwmDM9koTjgwXBvDj3DM9b7wX8xvN:4c3XARZM/62BXTJsyYrD8TLXBv3xXS2e	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\FOLSAQT6.txt	0.18 KB	MD5: 4ca3be7b04c247e9d449a44b5a6cf858 SHA1: fd9d71ab81c71a557b7ee6aa85ac506361dfd956 SHA256: ea3f148d4ea306b09742b10db720a8168de6369b284aa84aad00e3045afd4c17 SSDeep: 3:ePRyKK0Xv7YcMccpXQNp88CvXIGIcRrSMIlQsc9FyKK0Xv7YfUHWVTdzRvXRcR8g:ePRqcWpvXIeNFI+scziUHWVTdz0vXn	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\2EQ4E2OJ.txt	0.17 KB	MD5: 7512aa3e2c38a83f4d3d26a7d8714511 SHA1: 2d2ea08774c1ccd206f654bccd7650d431a25a55 SHA256: 865544f25418bb6b865f00677375499c3736afaf03168e1dadb8ab40dfcd7f8c SSDeep: 3:sUcnRPRX6Fs4dRgC7xP+OlmHcH6JKvBTKfXv6NJNOUjSLG20vXn:AnpRXKsQ2C9+D8CqBTJ5OUugXn	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\16DOE15M.txt	0.09 KB	MD5: 94aeec86e28b468192928766c6dcd061 SHA1: c84c43fcfe2081435e76289ab216a118c4c3ff9e SHA256: 6312190e1bafb72552b848c7aee99f0af8efc58ee9312a99d612b112f506d4b7 SSDeep: 3:8VZJVWRdiFSiRYVMXUR+YcUNZ78X7oVRCvXn:8bJAviuVdtbqowXn	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\5NWXN3UI.txt	0.10 KB	MD5: 63652588e7b2644c7c3e06cefcdc6ec9 SHA1: 8f3b736d7810b688cda2fdb4eaeff62001bf6fb7 SHA256: 3e7424ea43c00b67dfdd810ff3e38fe341cc1f5d7789a8598fa59729a17204d4 SSDeep: 3:rdiUALD36fh68VXJUafNc2HkCd/OQvXn:rkj3qfbVXXqikeW6Xn	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\RQK5QF4L.txt	0.38 KB	MD5: ff1bdcd2fb639a27a68b241eabc26573 SHA1: 08d9f85bce5887c701fa17429c926465f07e6ae6 SHA256: 7d17362d4a8e0f61c2190281258dc6d6ec48f730af23a20c21c0cff2f7f67add SSDeep: 6:BqVsFaI0rIE/ZyoK6XnTE9ZOdNsB6XYHheZb56X7/ZyoR86Xn:BdNE/9K6XnTE9h6XEw6Xr9RxXn	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\UBUPNOZC.txt	0.08 KB	MD5: f68a5a9f24cd597cd017d6b110f1a58a SHA1: cc344df28581989de9849bee9d006ae66e9b696c SHA256: 8de29fee8c9f103ebf86fd687c9d459359e7cdcd6fcc444012ac034fcaa18080 SSDeep: 3:/1I4JlrMyfUVXJUEumXxfcTj7DvPv:9nloRVX1dRcv/	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\FLTMVY1F.txt	0.53 KB	MD5: d317e0d803462b36d582dbbf05599ce8 SHA1: 4e82e1c8cdaadb1d0232b3beda72fa1a6ac76f99 SHA256: ed3d512e3716077a56a3643c836cdfe7ec90b1f4c9d7fe3dfedc4eea22bbac8b SSDeep: 12:fH4Q2iMdWTITwXUT4iMdWzXtQvyG7b+KI7Mh0fT4iMdWxXhwiiMdWxXn:v4lVEawXUT4VEzXtBKI7MsT4VExXhwiW	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\LY1NFEKN.txt	0.39 KB	MD5: ba6d817ec272e0cba47c5d3945339cf5 SHA1: 4666d6cf0335925921526d35ff659e5fca9780fe SHA256: 44d3b0c7312933d93c5936f4ffcd21c99ad4d7fdd58db88e07e7904f8047b63c SSDeep: 6:A9SyjIwvV+2XCBYdohGMGsMat5KGjxbQCiFGdh4Jci17uIopvV+2Xn:AYaI0+2XCGdMG2ClC4Kauf+2Xn	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\0Z1JIEVI.txt	0.22 KB	MD5: 646f6f66ee081cce757e52ea4d808b12 SHA1: d6e593830037973275e78dc09e49cd8c038d53cc SHA256: 0f3c844901ec5fc3628fc6feb57d0aca9185bf82bf7aabf3263d366dd306df62 SSDeep: 6:zCAA7xOe6FQRxc7XMDKoSHXoPNsnbXydLoSHXn:zYxOXFQRxc7XMeoSHXYNsnbXydoSHXn	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\M19117WZ.txt	0.28 KB	MD5: 5af345c73008bfd2c26007c01d223878 SHA1: b02288508e971719897395d0743c7bfe317c164e SHA256: 886e2f0d2a72ccdee3fa169a40e3ef53ad5e96872c2ea2be2d2ad270cb6b413d SSDeep: 6:T3TMqFLqz1jaU/CTDOz6W6XQ4ntxsUUuSjYjRUrMQEFFaU/CTDYRegwXn:LTMSLqRjaUYK+W6XJtfCrEaUYECXn	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\CC7DS78R.txt	0.08 KB	MD5: 7d9c78cacb5a9cb94eb5aa8a2c742041 SHA1: ede585bae4c1e97119da972a37087b36838f6b02 SHA256: 9b3205b34c79623b10c63068cf77aea314094fede20a4d791e1b0ed61f040c52 SSDeep: 3:Kfx9L14XL00Xv7YceQ5vUVYrlTsLZ0vXn:cxv405VKrlTCkXn	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\J4JSQG9R.txt	0.70 KB	MD5: ec0e2a4bb106d6fefc2a641a611b17e7 SHA1: bb2a769409d68e5e217acc5b010a53186354819c SHA256: 9156016b2fafec5d8f2613e93aae9168651696bd24170bfcf3c9375045bcca67 SSDeep: 12:BcTUEk098kjXmv098DwkXmN098D/XmrPq/009pIwXmtCAb/XmcKSJstVYZnokNW7:BSdkDCXaLD1X2LD/Xz/0OfXkf/X4Sm/N	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\9M7ZHW1Q.txt	0.49 KB	MD5: c5b160a6bdddeae0b05016d73c9d3e15 SHA1: 48ef4584afc0a4f99690fad0622fc7b5b1ac360d SHA256: 6485f3db1ac00f87b4cb91f1caeb1e1a70af5c224e012598470fe847b2ce9e4e SSDeep: 12:fKQ5lxWmBEL0NKtoZXWDoYXqNKtoknXktelMwt0ny4NKtoknXn:fKcloWut8XYztbnXktMv19tbnXn	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\TFCJHLEI.txt	0.21 KB	MD5: cf2137c36db861ac3451b0e44da7d996 SHA1: c56e668e1a8c9d2cc41344c2d848f881b6f04732 SHA256: 4dbd03091b1d18a4f91015af52467c40904ffe5da0d53302ff8b831786c5aef6 SSDeep: 3:8MrvwWWQDjSxQ7XFIyTKPv7Ycyl1XPJL9vWLRCvXRFA6riZ6cvUA/0dSIyTKPv7I:jqWjS2ph5ld7W6XuELA/kSh5ldZc5wXn	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\HTVL5WIW.txt	0.11 KB	MD5: d228b825d1ae810ff83a16fb6a27d410 SHA1: 18f59e4e7353676e7088cbcae5f4c68e380595f7 SHA256: 5b95c77b52409ac5e99e3da6a5f9d1a333257b9e0241b3ed6e80f9ebf58b3a1a SSDeep: 3:WXIQ8TRay7mbvj2WLv7YceQ5vUVYrldScUWOVavXn:Wd8wyq6zVKrldvUhkXn	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\ILF13HLB.txt	0.27 KB	MD5: ec239f6ffeb2202bb92f8c9d760a41f0 SHA1: c4d0d9637718bcd0889b2ada1f09aa0c40327808 SHA256: 80af63bb11ee86997800b9b952f7b279becdcd1728fd3592975ac1feb31d50f0 SSDeep: 6:AWI1dfZTkOUugXS5rrqtaNIj1XoxKZTJyIYCXn:IZTkOUugXStr4a8w6TJvrXn	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\80J4IH0Y.txt	0.09 KB	MD5: cc85eeb9c325d0d9f2c8863db4b981f5 SHA1: bbdc8bcaf9f8841c234df6e03c7cc40dd2973275 SHA256: f08b945f6b90082d1dca17d29a0596c9b3489fc6d139c41e003c24335cc6f91e SSDeep: 3:e9npZtPfAIioKKPv7YeuXJST/dGWVvCvXn:QZBVAIJBVkXn	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\5AV8L20N.txt	0.33 KB	MD5: 296d887b58e5ef72cba662dc9e71e600 SHA1: 04695b299c9b54ab8c694bf9fd986b20b9e09931 SHA256: 6909734c0f752dc11a7972fd04c7f7e59076a84fd9df44dffaa084483ee64631 SSDeep: 6:37IpLkTNyTlQgwXeKwYOUQe/XnJeMehd/qCYVTJh0z4xswT4lVRXn:3E9kTNyRdwXV2s/oX/3kTJh0z4KwT+TX	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\MBJX4MYA.txt	0.20 KB	MD5: e939180a8bff9e08419c60841301c2ae SHA1: 96d0d00bafdcae91c8e4603d0b1e5465be4a7e71 SHA256: 68491399f80f0d0481a90cd3e42834262b21465a7784a98760d8293ff83b4206 SSDeep: 6:KRX8WWXiM2scKvYXyISWRX8WWXiL3ogXn:qX0XiMyKvYXbSWX0XiL3ogXn	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\L78EW25D.txt	0.11 KB	MD5: c2b3517e60b42eb30826372db0ca3139 SHA1: 7409416323c74bd2940aa427bc175ae18b3348e9 SHA256: a3f4b18cbc8682d64e3be168817108b8eb094e169f5ec909ea633fbdb076c922 SSDeep: 3:+SQIQ8TRay7mbv2I2FLv7YceQ5vUVYrldNWVTevXn:08wyq+oVKrld8TwXn	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\JWFWLAYR.txt	0.17 KB	MD5: d3464229c025862a45b24654941a9dea SHA1: c01459638e242ec6de1ca43e3dbca8584e225c1f SHA256: 90f209194b4e0c46f7d1fd37ecdbccb217498cd6296685c0c821b216296aa549 SSDeep: 3:xRXE1oQITviMzoRvgKwSZdOVTV0vXGTSSmVTSkoNvkoQITviMqDMRvgKyEVkLlC/:kuQlMzoRjZaVZWXGeSmhSk4QlMkMRjHr	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\DRDF2EZX.txt	0.09 KB	MD5: e478700e454e0bb1742a70f00207df1d SHA1: 33af30eadb826320c12c054ebd13a61edf44e8f5 SHA256: 7a8db261e58781982babaa6c592a34d5c1c78445b540e3928ffa85b528cdb813 SSDeep: 3:5AHKWqkUVZsHdyKvXv7Yew7Sd3vWJBSlYyZ0vXn:NWqdDsHc8NaBSlTkXn	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\66I0OJL8.txt	0.09 KB	MD5: aee1a01083ef6a58ea22dc1b7235b67a SHA1: c7b76283f65ac1b6fba6c4696dea692fd7f5a819 SHA256: 6b6b7e5274e117ae63485b7ccf0887d5f75dbd19eba3f84e61a93c4d61f57d9a SSDeep: 3:ZDaNAtqLSxovXv7YfXveKd0Dl7O5evXn:ZOetZWKdOvXn	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\0GHTMU6X.txt	0.10 KB	MD5: 27ba80dd246a1b4c7dca6d48a42cf9dd SHA1: 20e67d18a7dda80804ca18d076197515832cf465 SHA256: 987e808573adb84b0148517081d6d3bf12256973fc558293629936bf00dc74b8 SSDeep: 3:AGunUcVhEp6DqBc/A4v7YelXuAZST/e3dXX5evXn:AGunUc4dgAUeAIOn6Xn	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\DN8YUCVA.txt	1.34 KB	MD5: 439e180784d9ee72582c7403a9a43832 SHA1: 49c18f3e224df6b26526c747337ce25cd60e3704 SHA256: a1cca4a3435c45936cb9061096683e48bb52ee30646ba633448edbecbfd81fca SSDeep: 24:idTEwXUIx+vnXAizQ7vnXX5xJRsJIwTNYisGENLjmQHhhi8GClSeX53WfU3smzfc:idYwXUIwvnXPzCvnXXLA6MpsGEtLHhQf	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\DQI7WAG8.txt	0.09 KB	MD5: a222123fe4776ac2b250bfbc74759290 SHA1: d494721e269d8df189f847f3c63e95977bc5a064 SHA256: 1ac7fb7394be8409fa0b4bd48ecf6bb8aad299cf0fb8cb812a649cd119995d1d SSDeep: 3:tqlsIvgXLMKY7YfUf1/WJcWAvyaOlCvXn:UuIIXLMKVUfScWKyavXn	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\3RW4K76X.txt	0.08 KB	MD5: 9542135739d1d79e8800a0cb72b64dd4 SHA1: 78ad4f96af7f63c24002d53393995731a2b54ec2 SHA256: 3f556a72c2576c094f63593d87bb9ab0b3f71e1e7221509406a036364d9b37ad SSDeep: 3:rLVMlYJiGTuv75vPrL6HgevXn:fVgYJwvPnagwXn	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\8FFCGS26.txt	0.81 KB	MD5: 4e39ff879c13325ac133cbcccc16f96e SHA1: 18527b12ab6f5411be70b2bbd2da02b6bb3665c7 SHA256: 3d81c7c7e7cd4890d73bb3d596df78064ebe186cae7ec33811e54ad7d7e7b90d SSDeep: 24:uYaQddetkE3JGjnXeGjnX6k4SvnXHbXYkftpmXBOXUrj8s/3X6m1QoXn:uwex3JOnXeOnX6k4WnXHbXfFYXgXUcst	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\FCGXHIFT.txt	0.30 KB	MD5: 4609eab2d4eec4fece79e9db504a0d9f SHA1: 7018259a7fdd640ba5c298ea13c181d933500d57 SHA256: 4d8c0deb3306a3fdc1d57aa11905c176173cd05dcd7f7fb66e9a84f5f80f99db SSDeep: 6:3SFW87rYgE6wXUuZaIhqv6XnE6wXWsHI1hq4u6VkXn:Cd7rXExXUuZph88nExXWFLu6VkXn	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\PF9HBAFQ.txt	0.17 KB	MD5: cb328f47b7e47d1b54f67ed63f9e3a0b SHA1: f1d8f17b35e4ed673b94842d64c0032489099024 SHA256: 3fe1e920f4f285b764364522495178595edd3e69291d2557a0715a7e5ee8d323 SSDeep: 3:uWviTSsR3ur9cWTiILEVtyn8UoYtu0dXv6NuRVmERvUVYrEavXn:uWa2sQrlTatynfKERYVKrEkXn	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\NEHE4KDB.txt	0.11 KB	MD5: f94377fbbb674a5f88931341223281e1 SHA1: 33cd3fc3430328fd94a9f899a8fd899e53440278 SHA256: ec81b248326cd4fe781ed014427e2266227d7ea4f731e079d332067fc6a8eb25 SSDeep: 3:tyEZRwVV+fQVMLv7YZUTlJST/9cTVZ0vXn:olVtUKhcTVkXn	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\AA2IJ7JU.txt	0.28 KB	MD5: 76948d013eadec4f86c2ede10cd27b30 SHA1: 97b96710ba837491097e1934a8b07b29f402371b SHA256: ba95a96baa9ede7e8212151401548c46b883c8d271523c73d0a2e541d93cb8a6 SSDeep: 6:6AUFHWROjIkBJzSQkhGvkbbUXqA/W9khGvkbbUXGRrkRvTXDWXn:r622Iy+QBvkbbUX6BvkbbUXGVsvTiXn	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\U2OYIS47.txt	0.11 KB	MD5: ed62b64b5e3541d37410394c1d7664eb SHA1: 3f8f0e7c5a1275b89041ab9c05f36c3dffc06059 SHA256: 94f223a880d761107a38fc85303a26a2b70395b74051ff91f59e324e924e1c06 SSDeep: 3:2T/TXpdUWjyqMATeLXPv7Ye5ST/t18CvXn:2T/TXbOqBTUXU7vXn	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\Y3XU5OKR.txt	0.09 KB	MD5: aa3652cf271fc1af8e50d76b58e011b5 SHA1: ad8f6876047409eff1cba8bcbdb39f65e3cc4ae0 SHA256: af49a40bb3be28e62378ec73d8eedf16fe8465b7b8f068219b037e5ede047760 SSDeep: 3:IJavZLGGPv7Yc/RIXQNoUdTW6T7CvXn:IqMGBRInUdTW6TwXn	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\BK4HNAZ1.txt	0.20 KB	MD5: 1c0555248cc28dc289a1de0494ca6701 SHA1: c9f1a1b2cfc200b2117acf5dceeac5aa9375aed1 SHA256: 96d94af32904aa45a01c4388e448055e694c9ce53a1c359aa623ae95a69babe2 SSDeep: 6:HEjiV7qRDS466RfW6XwAjV7qRDS466RfW6Xn:k+qRDlD+6XNqRDlD+6Xn	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\GXB342YS.txt	0.31 KB	MD5: 097034e89b2bea9d50e5a8bae3d418a2 SHA1: 959c39c666e125550bc5f6d1d88320cdc23dd8ac SHA256: 1065fdbd673eb769b0e01647cfc9dd899a2104dce0ba667c61adff4fab470223 SSDeep: 6:nc7RlRImxCmrn4wX4+teRj4lRIVQZBBi2MgX4F3SRIVquTavXn:c7RlBH4wXhAoMQZBBi2pX5MquuvXn	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\8489XH4E.txt	0.10 KB	MD5: a4cf7ef2e79ed6992a42566582ea4d84 SHA1: 07adcb8e50b4be19a86a20b26c06c8d6d348a87a SHA256: 81cffb731f3cb0a5de3d8d3ff1ca8e60ccde03b9f18fc5e293e3607e7ce51612 SSDeep: 3:e7TpXljS0USzM4XWHccJP0VRNyVBvn:W2czMPHccyV3yLn	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\5TAY54V0.txt	0.17 KB	MD5: 17d3a6201294f05e6c9c8119014a6531 SHA1: f020f1df542729b8d5edea3bea1e77f37c372fc2 SHA256: 09ed4d5e6c5ca4e8d2a4f234cf41b067f402ad2b8c242715abbb34a0d82103c0 SSDeep: 3:9WXAPEBYRPv7YZV3od6r8S47CvX6v6bWQlKHELRPv7YZV3od6rBQ0vXn:mAPEZtoq8SvX6qQHEStoqBnXn	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\1UYN2RFY.txt	0.27 KB	MD5: 239b092bd838a2d2f1852b9a380793c0 SHA1: 1e5f869c84c922150d17126b8c9cc55175aefd65 SHA256: a2d94374e0a07bc6af6178e95c624b7de86aab9df31f6a24871849261fe6ba55 SSDeep: 6:AWDtJuDK7SWZKSYvdTUQp6Xs2jogLPOfUdtvzN46Ec6jYGMRW2dTSOXn:AcuDK7SW0BFwNXF3PO8dtrN46p6MXWYB	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\HBPP9XXY.txt	0.57 KB	MD5: 8e50a0c7b176b80665d7bb5c3c940ea7 SHA1: 38c99bc2db09f3bf288435da964a27efc8821344 SHA256: 20df70d6f877a564ce953114fe2932410f76df6dfa153750eb0eac82490cc301 SSDeep: 12:oERULP3zV1st9IiTuP97Uzj1ifA5cdW8l4Y3uhY3M:jsP5Cm6+97UgfA5DyVc	... File Actions Show Properties Download
C:\Users\CIIHMN~1\AppData\Local\Temp\4D82\FE41.tmp	0.00 KB	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 SSDeep: 3::	... File Actions Show Properties
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\LVARU12Y.txt	0.25 KB	MD5: d05f62dab8d29457779fc5d57d1edf0f SHA1: ab72c8d6b102efe18770d738b7555bf0ca8120e2 SHA256: 041d385e4c8aecc7b599d43b246a8be1a0c9b8d1c4e0bb516734cda94f71a012 SSDeep: 3:e1aNxXyrXv7YaBOYXdTUo7SZ0vX2kqYGhKXv7YcNc+XPhMkCvX2CfhpdVnRfK0XK:WabXydOYNYcX2FXoSHX2mpXJgopgvXn	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\HF8F6LU0.txt	0.28 KB	MD5: b06bc86eed572b87c6652e8516558501 SHA1: a7b5dbbe8b64096ee17eb1908bdf3c782ee024dd SHA256: 21278b763254b99be86ccd77ec0935f8fd0604c917ccceef80791861c047c6c0 SSDeep: 6:64X1WIK6hZ1G9wXwqYV94P2kQ1vthZEKrCxWXn:TRjI9wXwq4mRQ11O8Xn	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\XRS5D0N2.txt	0.27 KB	MD5: bc9c1d0adf0756ef930ad50eea728429 SHA1: 5f01fc4b43bebada9498cbe89c02eb52f2b65795 SHA256: 32cf69501b10721bda7fbf439edbf05f3f8a3c4f37188714d55322560318f49f SSDeep: 6:fRshdSvQbTwXQSXTONZNAZAHIfUShdSbX3xZcopJ5wXn:fR2dSvQ3wXtK3NQAH1sdSbX3DzaXn	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\5WQEGNKI.txt	0.19 KB	MD5: 906b379bfefa7c26a7532875354e89d6 SHA1: 92d50078852e71d3a20b68c8380dc697564f3fb7 SHA256: be71cc93fedcb5e6b95b71b0937cbf7bebd74ad2f4e9f649626441dd6f5ec230 SSDeep: 3:oI/dyn9eoMzIkGXFiLIoCYK/v7Yc4WhaXeBcj/Q6TVRCvXEBoLm5oIoCYK/v7Yc3:oICjAIkGXefCYK2OaXscbUXEB8fCYK2k	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\Y1I415YS.txt	0.09 KB	MD5: e0c59cd5f2fb90c52d0a6a60c2e4a7a0 SHA1: 4775537bccdcbf860f12af918265eff3a80d8e9f SHA256: b100f38940c418321279f53b8515aa065dcef0892a7f0b39cd8af184e30fab93 SSDeep: 3:Z9VTSkLBDKYvKvXv7Yc+VRvgKxU8HgV0vXn:nhSkLAJAVRjxUcgwXn	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\sols\macromedia.com\support\flashplayer\sys\settings.sol	0.49 KB	MD5: c80c85f625b6831740d090127fa1ebd9 SHA1: e36fb4cb9355d044cf0cf12706bd8ff1d21b8e86 SHA256: e185feb8815d64fc0b0b791581e1c7d181bbf5991f81962e7444c9b6e2b639b5 SSDeep: 12:xvHnxJO3/PwbN4XoHiDXEE008AQsn4ljqB7W7i:5nxJo3wbNQCiQE3RdRB7Wm	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\O8FFFI2K.txt	0.11 KB	MD5: 8abfc793b40ca3461ce3fb9079a8fe67 SHA1: 41841bb3ed2c57566243095c06b113971f819408 SHA256: d54f0fcbdf15e23948f9e12428c77e6bddd68a9c0e9a7502124fcca0d8e40c63 SSDeep: 3:KIAMBTTjEIBHxdQBaHoQM7YeKXUUCV6NeoCSPqVvCvXn:KelTjXvQYIQTNCVOCSDXn	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\9IJPMFHZ.txt	0.35 KB	MD5: 2e3b88ce851efdb6297837c7c79f1761 SHA1: aa54915991b7439743fe633b3b7bf9e791341e8a SHA256: c67e8fd7072a1bda8a6eab7cffe4de2efb8b97e59be3500b5fd9b5ea8e361ebf SSDeep: 6:aRd3XJys8NaBSlTkXmT3HcoBAaBSGkX44oBAaBSGkXQXhCqDIfdicHRyPs8NaBS6:g3Zt8Nakl4XmTsoyakjXFoyakjXndZyM	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\4YWCPPXN.txt	0.49 KB	MD5: 83edbf270ddbc68c482d1724e8ad3abd SHA1: d44cfb79fb96bab89291e4daa3a5a0f6444970c2 SHA256: 6ec15d81d07f49b7d7ef5aac56d12184c71baf09af06e6085488184ef0113f7f SSDeep: 12:GVwZA2PEtCGT4abM/LQpXl9pXe0M/LQpX43R7N+M/LQpXn:GQhPX/ag/8pXhOT/8pX4V/8pXn	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\UBXQG39X.txt	0.10 KB	MD5: f99798ef43aaa89a31d3531f2a381706 SHA1: 49b7cfcb09913e46ebfbf31ffdb88483006c18fc SHA256: 1322157dea51edfb030e63b60b00f4d4fa9c4270eb8f6704e8b6b0227764afc1 SSDeep: 3:Ft4QA7j9lUROOMjLRPv7YemVHSrXRdTjTVvgevXn:XNjMj1rtvnXn	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\E2KPI4ZI.txt	0.10 KB	MD5: 57203257388830d03797fb899b9a2144 SHA1: 6b6f3dc6d8b7b0aad5e78dc3578a6d44230923cb SHA256: 0dcb61604990096a0a8382cf1fb89c68bb2d3198671570518d16de5294e64b64 SSDeep: 3:hTEfQX2EWI0s9LZv7YchSKXQNkUlE6VRCvXn:aa2/I0s9LrrUlE6wXn	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{25E2F79F-402D-9FBF-7229-7443C66DE827}\01D46BD24DAB98E809	0.09 KB	MD5: 1c6b74959af3dfa3eb5647ac066b069d SHA1: 18faf4dc3d546cb4001ce3714bf8a3f6c1ee83de SHA256: 86e04f17d07122a0e7a7a37f0d4ad18e4f2c4cd19429bb48c45fad8757f2097f SSDeep: 3:Lnkrv2UMADMfcMNPmrjAOGJvjKWEI0jAOGJvvn:LW2gDMUMNP3OGhjKGOGhvn	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\0MDKR34W.txt	0.16 KB	MD5: 7c8e4b563cb7d7e947c00d5a86c69cb0 SHA1: 83c779ad19d5d4ee035495b4ce3ec4663aeb3f9d SHA256: 7941fee1d98b4fa10810ddd1872afcc1d8b6e0b9f60115ac2de8e74f6c7b5661 SSDeep: 3:NYUQP/Lv7YfUHWVTdzRvXRGRUp7CvXIERSrLv7Yc9dbbZ78X7Ibjg7CvXn:geUHWVTdz1pwXI4S1bRkOLXn	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\FGTTES1V.txt	0.09 KB	MD5: 3ba4706f61984e8efe6e242f92d129cf SHA1: e63b9ae24353c6e44b0798388f731140d79df79a SHA256: ad383d02cad8578d897104a34574b72e10861989c3fd69deabba66b7a3f5f56a SSDeep: 3:W0C7D4WDfsJLGGPv7Yc+sFXPXTXTW6T7CvXn:I7HDfsJyDYbXTW6TwXn	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\MA5WDFBR.txt	0.09 KB	MD5: b60e6c5e83996e1fff82c83f41d4adf5 SHA1: b6f889e00213beafdae3a0e3f9f8cb93416ad81f SHA256: d2d24eee2053c61563573e7314253e481916dedebe686375fb2ff134e65b1315 SSDeep: 3:psNGTWeM9uMQDbAYZUTlJST/xXWgevXn:psN/bwMsbXUKFYXn	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\B427TFXJ.txt	0.50 KB	MD5: e02400d092e6cdacb5ac6fd6be20ce48 SHA1: a7f6e16476cff97689fce9af6dcb103fc6f2c63e SHA256: 64846d29e69fc2ecf47457e5b2ff2dfa45b312b2c77b2fb14ce85d886af61c06 SSDeep: 12:mbdSkXO9WaibdUX5NQAHnN23TuQYXEm9N23TuQYXkf8KrSRN23TuUKNXn:+dnXOSdUX5NQAHg3T8X83T8Xks23TwNX	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\KNJ4AJDH.txt	0.50 KB	MD5: e0f4170082366cfaf37f050580d3044d SHA1: 61e9f235887ebc6804ecd002e9c58d12abe43f63 SHA256: 83bd2d32da76ba4b3fb27c9a9b11d9d359355b5cbdade0f4986625287382d110 SSDeep: 12:m2K9t1qXp7I5vXP4iH5vX62IAc7XBIHcsqXn:Ct1qXpCXP4iFX62IAgXYqXn	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\V7NNCJHO.txt	0.14 KB	MD5: 6ffbc08da17638b6dfb10b9195cd8a24 SHA1: 2d865d1d504bbc4fd9a8ecfce252b2ded1108c90 SHA256: 428971e3763e7a1d64a9d9c0b1c266234726dfbdcc98b10015c8aa5e41a71894 SSDeep: 3:FbOBv31WATEGkndvO8GbW3QuHgoTEGBhvgv7Yc+RXRdZ78XuNVTevXn:FSBvsATv58G+9HgOvTjRXRZVTwXn	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\9ABR37NL.txt	0.23 KB	MD5: 0b15f5d10ca33f9d647463a315f69773 SHA1: 95dd0dbf3944e8456dfbcadba3315c48e8055215 SHA256: 1ba872404f6a836bc7afa16e7bbd42f1b0a5e8231ea3bf645985537f10f56cbe SSDeep: 6:oPcCWm3Qc6XaVZWXQKnhSkLAdMRjHaL6Xtw/LMj6Xn:ojcZXbXnnEGSMRjrXtWXXn	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\B4K109K7.txt	0.35 KB	MD5: a73ba9945a7e8017ac0cf57e170813fd SHA1: 47eb925d53522e428e93e612607a5f0c5ae08b95 SHA256: 87998def0768c5e83b92d5ff02dc228da09d2fc048d019d9e8ec25a6bd5cea04 SSDeep: 6:sEki6ujJTS+PiRdMQXlQvYRqtVbF/peOQ3k/KOTkCWCd3yv:sEkvuZS+U1QvYEtVRUFRCWCd38	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\K8249Y1G.txt	0.23 KB	MD5: 0918fa451cf958d2b7359441381271ad SHA1: b3ac89f7450ffd73d9acb46ecf3fc5cbe6379ff6 SHA256: e49ea66c24aea3a7c174ffbcd60fcd5fda6d6a2c26057434c3c4cc65c7b7d1b7 SSDeep: 6:Yw2sWI466TGinXCc0S+7XJCsWI466Tp5wXWoRx2sWI466T9WXn:REQcXC1S+TxEhwXWqx3E6Xn	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\MIL4MU1S.txt	0.16 KB	MD5: 2df0ee3f94a49e7a1a8914f558cf0432 SHA1: 7597be3852704c4730c816f26703e847836922e4 SHA256: 833d06d473bb644765fc3ad437edcbcda662379edf5b6976cd95de0ddf04102c SSDeep: 3:k6XpA7sAdVUQNc6wWdTEtRXBSDWBTRyXAXUuXvAbQIOcX0i1XPTSWAevXn:JxAEQOjaIjRwWXEAXUuX2ZzXndbJXn	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\LC10XEWL.txt	0.32 KB	MD5: 7bc7e24194664bd57552ae27e3fba393 SHA1: 48c0367392eb54198a29e857dda1bd9f620da632 SHA256: 4abcddc3fe92a83634b48ad95ba078bbc21f3861f1aa82c4f8206ddea953294a SSDeep: 6:TQGP2KrF6ZWX2ijYBr9ktC9ZKGB2Krl8XfJjZPUAGNVKrl8Xn:TreZWX2iaLOXfVSPXn	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\TCXQPY9L.txt	0.11 KB	MD5: 952fa7ed34793e872db6271b840b6528 SHA1: aa24d10bdc16027e8862cd3ff92a1f343db4c340 SHA256: 8673236e9e92b92cb0ab25895603d08c9300b4e8eef834360881e17c00f8182a SSDeep: 3:lHSmVTSkojrQIvKvXviMtIVRvgKxU9NR3O5VRCvXn:lHSmhSkcQZiMtIVRjxU9NR+LWXn	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\5STJ6NZL.txt	0.71 KB	MD5: 07e1f9989649112256706501b51a0dc0 SHA1: c819e061208903029c5fe3aa97a48ef2731eb477 SHA256: 26e54015bda2a06be503deb5cf5d1b8744c985ce4479b50b50e780e833d55ab5 SSDeep: 12:FpX6XxvXjOqnuNQAHcIE78zivIaamH1cO2I7/HZXDFzfRpIN656KVzn:FpKXpTLnuNQAHdHiXamH1cO2IrJX2N6T	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\TIGZFGLM.txt	0.12 KB	MD5: 08d540a410aeec5afda6a829023f5d62 SHA1: fdd2929cf14b43dd8670897ff23e2ad2375e8739 SHA256: 08b7b4ffb721a0c79a0b97a429b171e050e1caac6de6830332054565635f0697 SSDeep: 3:zCshvjwrtaDVMURRCU20dZtRMSL3U3m1XPSiLcSZRCvXn:zCAW0DRr2yDMv2dvYSkXn	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\F68MFAMN.txt	0.10 KB	MD5: eac5d68b5f73531860c66fd02835e6c7 SHA1: cfc0a4c3d920cf7d8092c0cbe75563236643f994 SHA256: 698832eabd4a7b7c57a02697aec6eb40a320fc08512faaacfde45f98c00a45a3 SSDeep: 3:0Q7I+WHcDTMcAwMfjdfXv7YcTRBdZ78XBAgnvXn:VcdHVcAwehxLMvXn	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\PK3I34UV.txt	0.22 KB	MD5: fa464e981ce1d1d351998269931ffd2c SHA1: b9ce7e6bcbb56f43fa85297671a7d07389cd532b SHA256: e189fbe9b477f07c3de8b7abe06542171de1792a240c1bc03f953e186c595142 SSDeep: 6:zCAEjrc5jWojhv/MDKopgvXoPNsnbXyh8oYXn:zvjW+lMeopkXYNsnbXyCoYXn	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\H5LCJX1B.txt	0.58 KB	MD5: b69bc12496d5523acfa3d6f77d503d6b SHA1: 70f957bfd1421c0208344735420e1ab5149c92cf SHA256: 4dc79fdc62ad1e6630a50d8dd3d11b4bad2935b4a5be492bb8ef753491d75359 SSDeep: 12:sE820oMGGVbkXUfEX34f8J8/DdMSkd8GGVbkXX9A1gH6NcgHhGGVbkXn:J8NxZtkXU3e8bw8ZtkXXOWa1hZtkXn	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\QUMCK8L4.txt	0.08 KB	MD5: ba27405cebed532e86e6fcfcc8ede849 SHA1: cf921eb790eab9f69ec1acc3817c197b270071cd SHA256: 046c98fd7aecebeb00adfc0f90c4b3655ba07b5d53664370f9c5162664e36c68 SSDeep: 3:FJXDQ/+T1hGgKvXI+YUSfYMJjXQWj7CvXn:7XDQU1QguwfjQWjwXn	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ff\\8i341t8m.default\cookies.sqlite	512.00 KB	MD5: c086878e29f58295040165b8d529978f SHA1: f82adf6832b0170d777e8414c905da9ae7615814 SHA256: 33399fef9e8e65a148887fb112a866d47b92dd08d861cd510f4e1f2fe8b6a41d SSDeep: 384:NDf+J1VSvfVRvtIdaYK/gVzV7drvVmDIlGRYJf2:NDf+L6CdbV5t9LGR	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\23JC2UTD.txt	0.09 KB	MD5: cbe543a3f03bc4dd20755e106fe04df9 SHA1: 0a98fc7c187e9332b09716c4b424994152886f64 SHA256: 8dfa991db0c865c06197b7d3e1e0201acfecbca35cd9913940355f30e23040e3 SSDeep: 3:Z7k0AXWUEXWivf7YcMYlzTvDcBiFSTV0vXn:Zg0AGdGivSzBISTVWXn	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\LY3FDU65.txt	0.30 KB	MD5: 4034174265387ef7a1deea810c7feb8e SHA1: ee24ffe264b8ea2d1a503799473fdc89fd0d6b38 SHA256: 5a82c391df9d91405266896d5ab44d2cac52d671df44b1b35f53c60f76d21213 SSDeep: 6:GON+24dbBWg9+VW7BaGYIu8+VeEUOtmWqQWXMH/waU+VeEUOtSBXn:ZNx4+g9q0BaGo8qeERtmOWXEUqeERtSx	... File Actions Show Properties Download
C:\Users\CIIHMN~1\AppData\Local\Temp\D0C5.bin	0.16 KB	MD5: a7aa1f78f72aac124a1537b448cc0214 SHA1: 56f84d8ec9cc925e5a55b50ae8098742bd928603 SHA256: 193a5c4ce851441a18eeae2c3447adf272c4f09bd213f73235c941b82eb4b727 SSDeep: 3:tFoYXBsJaQGQbQoPgcVSRE2J5xAIkLW0HbRQ9Wf1QoPgcVSRE2J5xAIUSqHov:tFdXBWQ8gZi23fCvVQ9W9Q8gZi23fUSx	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\4MN240WN.txt	0.16 KB	MD5: 3542c27584ae79503ebc82a304201a01 SHA1: 4e049f8599200e0c7f12f086957645a682d6dc84 SHA256: 54d355a67a4220c2d2171c27b17768c67f7b69336204bf5caa78d2a19d0fe5ee SSDeep: 3:pNN1gyTuv7YcyfRvUVYrSRJ8vXH/UOvjSXVYyTuv7YceQ5vUVYrlSXcX/vXn:payTgKrSRJ+XvvuXVYyT5VKrl9nXn	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\U8FCPAKJ.txt	0.11 KB	MD5: aa4cb4acfc891c1d86bd79af06632a27 SHA1: c81ca1f450d50b906e0a2489a85ac737f22da2c6 SHA256: d4d5795e4f6954a94bbc0a2032e0d2f674ca5697ce83711b86060c3dd9e1ee88 SSDeep: 3:JhWDhWdVmuPO3LyT0Xv7YcAMvWEHXhZ6Z0vXn:JJdVkLrOEHykXn	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\MMPF10F4.txt	0.25 KB	MD5: a1640d6fc4841bce5a607576e359ee86 SHA1: a290ba0b1ddb7c70002be319033caeab3ee47e53 SHA256: 03eab9ebdf12271a78951c77be387b6b522fbed8af8d084a05e33222d47a24ee SSDeep: 6:cR6vD1XDRA6Jz48bgaXWAaoWy/V8IYUKhvnXn:lXDWwfXWtpyd8IghvXn	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\A0RK8A2H.txt	0.12 KB	MD5: a588597215b073e4419ba2dd98a41412 SHA1: 0758752783cb22108e88d40c4f3cd2313edccb32 SHA256: 38073e4d52dc6b4b6adfda77bd16731a9790e0638dc106e3b2229c933b3859bc SSDeep: 3:IWAThQgW+FSiRYWyb26BBgKEg40E07YchbRdZ78XCWdQI0vXn:IWAugWviubiqBgfp0EG3x/Xn	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\P778SMC9.txt	0.08 KB	MD5: a79195c5c524375b067abba0d0533deb SHA1: 9d3ba9ac8a17afb371739f76bac374566581b1a7 SHA256: e13809fe52d1a486c350d8528a53b10adeb46b56cf208ee18c59268391a6dd5d SSDeep: 3:oWVrYyqyyXPv7Yc1n5vUVYrgtnoQ0vXn:oWVrszrn2KrC+Xn	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\4O6583I0.txt	0.55 KB	MD5: cbe2e6163070d0dd3727ba3ae1b54c3d SHA1: cf0e8a0eaeb26002a620e73b291ba47d163e529a SHA256: 9a910cc79a7ff4f95f5d917ab7aee3a266e94eb80af1beacff423bd7d8ff1093 SSDeep: 12:9PTDjN1clAB51lHPz9dN+zECykX6cFQUhzECirwX6cLZ7Br+zECBynX6cOzEC6Xn:9rDjN1Z5tOxX6YQqPX62rmPynX63YXn	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\TEW946CI.txt	0.14 KB	MD5: 905660c54f67bfc4ff4f105bf912fa6a SHA1: e1197b654214ca9acded872fd87bbfb5fbc2e1c5 SHA256: ddd120efff365d5b38c67edf515d36217fa9ebb9469b675b03e9947128d31d4b SSDeep: 3:U8ULA+tRMVXJULvUVYr2mQtWVavXk/tuvFQ+tRMVXJWuQa6ZlSvXTQtWVavXn:AA+DMVXNKr2maW6Xk/tuv6+DMVXHQaY9	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\WX75TEOR.txt	0.28 KB	MD5: 326b7abab45ab5d7a295ac7f7906d2de SHA1: ec26372aa173331cf4b6806e6cd806b3a58ada86 SHA256: 3cbeabe1b3581ca4206845cb528045d9fdc38df6a1e2dbd800bb78e656de696f SSDeep: 6:Wk8+dKXcj9UDvnXWAl8UmXcj9UDvnXTkW2xcj9UDvnXn:WkDdKXcj2DvXWcmXcj2DvXqcj2DvXn	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\2HYILE1O.txt	0.74 KB	MD5: 05aac76b6e5e572582e6bd568789d6f3 SHA1: 13dd429f97cc2e6441a60d7a2301cac348c73957 SHA256: 3aceb7fcdafc2fbca160384722ceb4b09d5daf98f910fbdb7a0ca3a371549527 SSDeep: 12:IEj/XomgZcnX8mgZuTcXGKxiE4gZuTcXeIumgZO6XWZKBnmRWu/DJuVIS6XWhsBz:UZ6X8PZuTcXdxiEVZuTcXeFZvXrBm3jd	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\9Z1Y5ICI.txt	0.11 KB	MD5: 9825210d2d9321a0e9a8ea9f10d87245 SHA1: 0b910792e75c625be2ff256eded3251c5e615a2d SHA256: 077410e4a46c2597c8a4e855016af21f1a6f9940649d7fe4374fbc829ae52c1e SSDeep: 3:3ykZhTy/F1CRI0XviOG2yRLSrjyyS9VTVRCvXn:isWF1CRIFOG2CmrjuTwXn	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\16Y0X4V7.txt	0.40 KB	MD5: 83644b16875ad59b518a166d5bed5b59 SHA1: 176405896e3158bd9bd3de552966bdb43384a65a SHA256: e103787ab2e8ed7de8d2224acb22bfbc4681994db83382b73e2b22d690324359 SSDeep: 12:GOCl3ZK8X176GiIEZsBXONo5H3ZJe9qkX/i73ZsQXn:MlE8X1RiAXKsXuX/i7LXn	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\4Z6UDYLY.txt	0.09 KB	MD5: 9a525b9701df706423183c5f00d4f28f SHA1: fd1d0e39dd90826b4b4743b1b732c8889838c1ce SHA256: 5fb85f1094ba640e67056c0da963f1c9f74ca7e3de59e30fc097a27fa9afa4df SSDeep: 3:ZRRGlQGLLzPv6NmXTV4vUVYrgaqr7CvXn:EQcKMXTVVKr8rwXn	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\RTEPN67M.txt	0.23 KB	MD5: 6d142a6f5e44fc7ce7863836f46cdb59 SHA1: f3051c35b234cf3b8ddce4d148de524c6a4edf25 SHA256: 683de10c0ed7a13c4435580b662312be1cd34987de0408c3aaa6143aa4fdd317 SSDeep: 6:qWbEBnQjRWXEVWSlL4fYQnvvX9YIVvzlJHkXn:qWbonQgX8bqAQXXiINZaXn	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\RAYRHE6Z.txt	0.49 KB	MD5: ab8d9047a136b8ef0e61b12bd7009d6d SHA1: d55a384d22818d914ef80ddf500dbedcfbc359db SHA256: 672462423886461f5a46f3774d3c2a948d6d10dac3f7d1d58f6adfdff654edca SSDeep: 12:I50mX3oZCWXFdaR0a4H1XJP2l5Isfd3G2Q76zqfZkXn:w0PCWX+Rt4H1XI5PN5E6WfWXn	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\ITD4OUAR.txt	0.18 KB	MD5: 77e6230430d7e414dd05526fdcb160a0 SHA1: d16d3249558d650a76e374ff72b38c9ca5ea7420 SHA256: 208c87affcf51a0cc1fbd81e753a9f9af748456008bd84d815fe074a75b09135 SSDeep: 3:UhZKIdQhREcQQHqcAWGl2uv7YejeQVZST/YSeWVavX62Szs8Gl2uv7YcTRBdZ78u:dqQHEcQAqcAWGl2keAI8SeWVkX62S7Gb	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\SEVCUJM3.txt	0.09 KB	MD5: e12ee25dc159278b387468be4240ea17 SHA1: bd8053caa423bf3812c6c77b03f8e939fdc6dfcd SHA256: 42446a69188bd5c18ebeb93bb0ac7d32267ccbef5fdfa66c38286019af826a46 SSDeep: 3:tM71+lRI0XviOSiRLSrwjvXn:ti4lRIFOSymr4Xn	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\STGOZ493.txt	0.10 KB	MD5: 88aa642b64e60a35a0eb0fc41ff77484 SHA1: 318c7687fdd0a21c8d661c356ce04e118b2f8604 SHA256: 8a8c19eb6ba82a9dc432164aaded48f31f52e821b6b171c41811fcd6dc0065c6 SSDeep: 3:8Zh7CsRe2ldf2o7Ld3vXv7YcMVoXPKQR56WVavXn:6wePRiYzR56W6Xn	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\ISTFXHHR.txt	0.32 KB	MD5: 5167dd813fd6448a9c120a383ee4d4e0 SHA1: 906d81e4d3497dd2286dc3ab80c8e4387c168e93 SHA256: 59963576ba60900e26c05c1999932a1141dcbf7c67f259e9e0f1d4661227fd3d SSDeep: 6:6BnqzmMvet/UXqA/9heMvet/UXWJHWROjIkBZheMvet/UXn:orMvK/UXgMvK/UXWJ22IiheMvK/UXn	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\1LLUY7B7.txt	0.12 KB	MD5: 28aed6b5d232c8d69bdd5c2d0fb72fe0 SHA1: c8986a9f12be24704fea6c072600af8d5ef2a3ed SHA256: 1883294be4a02f252d15f1603f35ae515f0f6acf100e456b20404bd01df2932d SSDeep: 3:4i30B8S01RLZGSOS0dEGRuGvXviOBLST/ievXn:4iE+/LZL/kEGuxO8lXn	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\VD3GM2DA.txt	0.17 KB	MD5: 9dee7b57dcabaa678e34aa6a14c881e0 SHA1: 5e98c1e1bc764d66e61599b2547fd7dc18885f0f SHA256: 32a428fd82ed595868c88557aede73237053a4af89fee0da76b1cd56d5f7f123 SSDeep: 3:MvKGX3WIdzmmgNAZAWAIfFmNuyMLGTuv7YcPXPIdP7CvXn:AnWgy3NAZAHIfgN0yigdIXn	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\1L3KU69N.txt	0.11 KB	MD5: 54f508f03342add430e180d6dbcb3d3d SHA1: b6cbe338c7e6e6f25bdb955d8c434e9a0cca65e5 SHA256: b5af007818eb027a9106fa34f0c17b373f4b76c8723eab7dbc1dbc3f9d0d46db SSDeep: 3:Hw7I+WHcDTMcAHcEgR5viMjxRdZ78XBatvCvXn:HwcdHVcAVgRwMjb6Xn	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\UGL14QS0.txt	0.13 KB	MD5: f748c4a8663741332d2d3f371696e50b SHA1: 39e9629d86ed99fc4ccb6f0bfa76843dc813d50b SHA256: 9390fa24b3f6a4789dfa7a8645f4b3f79654cb1db3347963ae91c689f74e07f0 SSDeep: 3:U8LfyKfUVXJc/n5vUVYrxReTvECvXk/tuvF2yKfUVXJWvXcN6ZlSvXXeTvECvXn:FfZ8VXpKrXMvXk/tuvQZ8VXcXcNYIvHk	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\OOUVZSZN.txt	0.16 KB	MD5: b76f6a7898e30e10f2573da67930e365 SHA1: 6ed68335f5314ed6cc5c071f523719f4182f6fdf SHA256: b1bf16fe6e97ff019a2e66a585bb246a7357db9b766e2dfe02370735b5227a72 SSDeep: 3:zTvqGqW3oZGaRtRMVXJXmm1XPSipSXY0vX2CfhpdVnRQ3KRtRMVXJXmm1XPSiLcX:zOW3o7DMVXZDdvpTWX2mpXVDMVXZDdvq	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\NYCCG1AV.txt	1.56 KB	MD5: 701e185a66b6205df319a7031083916c SHA1: d5b5e9779d95238a140de5ea88039113fd3be9f7 SHA256: 7530a36faa9961a59ef9c22fac64baea4b94947af1eaffec0e5958141fb65874 SSDeep: 24:diB7XDA7X+cNh7XUIGu+ckRR2Jqqnc8iWi24Ew9jflFxfxaS1gjQGQi6VjRVXn:d6XsX9HXUIGUGZjWitEGj93fxWjteHXn	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\MCAKE788.txt	0.10 KB	MD5: bcb18b0e67cb42cdc710ec9374de78e1 SHA1: 5c20b0edfa4ca01023c5f13ae937e3bce3f6451d SHA256: 9a39cc3f626e7c2e1ac7272992fd3ec758a7fb935ec14fce90fa463cc25301c4 SSDeep: 3:KAXIzEnVXqP8DoRxLBI+Yc4XPlNVC+gevXn:KHCVi8DMNBUdHdXn	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\CDGOWO27.txt	0.14 KB	MD5: 7ef6c6ce7f843ad5e5dbe4c23476d57b SHA1: 9a4ab75b9ba10681a6790f54a3ba1d59277ffada SHA256: e0fd90163beef3e778f1e0f7ec42839655979fd20a97252a11e7b62e70ff9652 SSDeep: 3:nviXxWhTT52V/nm0dFmx2V/nmNMKsQ94RyK/v7Yc9dbbZ78X/fQTV0vXn:FhTIm0dFmUmNMTQqRZ1bRgfGVWXn	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\S0EK69P5.txt	0.12 KB	MD5: 43d34b584a1f58538d5bafd3afc46c13 SHA1: 570a16fd3636d58181154d81eb871056ae02e706 SHA256: 101b0a83ecb877aa1df5e25876baa8d08d05e8114f26d292194abb2e809e86dc SSDeep: 3:eXcLIdvKoAqm6z/zv0NMsQLXQJe6ELGav7YfQFDg6dIvXSAktgV0vXn:esLgv+6z/zv0NMsQLAJhJQm6/2WXn	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\3VVSZ2CO.txt	0.13 KB	MD5: 7f7b455594ec6c1845467547b86196cd SHA1: d36163af4aa6a94ecb949795941fce93f9185c2a SHA256: 7e06985f409edbaf7c50b665707659371e068f82308e81370611172081d385f5 SSDeep: 3:NAvhl79wPFdZAZXkFPaUMnKfUVXJRzAXJST/edvVjYRCvXn:NAZd6PZyUBunK8VXfzlIvXn	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\XUAUK5R0.txt	0.09 KB	MD5: cf94bc0a85e8ec31b31ba1f6df852a3a SHA1: c4e638ac6d92b4862b30e5382b4ae7aa2332e269 SHA256: 8498eb9eb0e1807995581cdb236fe898ea81d1b64ff97d7705c2a0c5c481654e SSDeep: 3:33oVIT0xLJCuGGvXv7Yc8MeFXPNXcSo0vXn:B0xLMuzetlXctWXn	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\WUT8M1Q8.txt	0.35 KB	MD5: 141ea27d246089f61d2c626824c89ab2 SHA1: 2cdd702daf06e67c4af5035566783cbf162d0004 SHA256: c46c320d59ddebfddd5470a36cb3c020cba0e254c7e793a2d2e7221022367877 SSDeep: 6:AVRkBSC26xSRW10XIBJvANSBWWjN26xSRW10XqJZZVMNVBPtSRW1TXWYSCSSZbWX:A7kBSCIX8aNSBnxIXqJZZCV9XWYSCSRX	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\NOCAHPZ6.txt	0.13 KB	MD5: 0275efa4f33da5f0978e5570fbe1a384 SHA1: 018422667b4795a10b5ea7589d8427aecb96ef73 SHA256: 00513cd9b54981cbec62f815a17b94a0cee0d9e3c80a600b29aa8afb1ac71806 SSDeep: 3:FCXNUM2HAnxQXsA8RRJDgRsTTH3KyJXv6NmTIMeFXPNQaTgQ0vXn:FUP2HAWR8DJsRkT3nZSMT7etlQFQWXn	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\CYHYO8JD.txt	0.11 KB	MD5: 6b5ebf13aea6c467dd22dc47141419b8 SHA1: e3906219113c9f7dff3c25f1a87372536bf106a5 SHA256: 66e28e5d2177e9b6ea27ab60c5d2bfab2fc144b1a19f7e735e8f21decc79476d SSDeep: 3:CQ7TAAJOVjuvbMyKfXv7YegtXJST/2LL0vXn:ZfAfSjdCaLLWXn	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\B67M68H4.txt	0.10 KB	MD5: 4318c9793f2b6a347dec8834d135ca6c SHA1: 191409ec70269a97d74553605fe4f188d4ce79a0 SHA256: b42fe0fb5430206830f63a114e6a8e975e310c5c73b40c3c1467000893c43ff7 SSDeep: 3:mCVNUvRRRB2WaYePkdUOORUJ3WM7VSv:mCgvjxykjVD7cv	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\UUEVXDWP.txt	0.54 KB	MD5: 5c8ae4959a0d7602619a3c66988154b6 SHA1: 220cff54515520d13f6822205893651f2c548d2a SHA256: 02214826575ef29b128c1a57e4e90516d113a6f333a7554ebe6cf8e47cd97493 SSDeep: 12:FYTNwX2XxEbXyf9t2X2X9bXyfFtHXYNsnbXyflMW6X8tuvNvvImX2X6QbXyf9t2X:FYhwXY2bXw9t2XY9bXwFtHXZnbXwlKXw	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\T1LCPPSA.txt	0.08 KB	MD5: b2899520b074966f8c8702ae7c4d5a50 SHA1: 0aac474abe1290e92a6f7542a088a921abce85a8 SHA256: 54c32dc0359a44f3120ab4de1785006aefa4c41770237de106ceb67c76bdb6ba SSDeep: 3:zws66RjcBvX0bfUVXJXnRXbZ78WUX7v/vXn:zw/QK7VXZbHUrvnXn	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\MOE7DCQU.txt	0.12 KB	MD5: 1fd4e359831f8693be70203e8961781e SHA1: 84bbd3624f6f0574361b21cc7af2a1a735bc81de SHA256: 76850c1318b057dacf5670a830f1ddc150c3c4080122ec034f23ee1c58f561e1 SSDeep: 3:SNoHNxnFEBVUEXGEqQgBLQ/v7YcOcpXQNqTJr7CvXn:/HNxnoXGzQZMcpltrwXn	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\WPEXKTDV.txt	0.37 KB	MD5: 929a203e2d9f0e28ea39b88f5cb2bba7 SHA1: 5f9296dc59e420d0e5e16cbac196f57959cf1b74 SHA256: e64462d7465fc07c5bf16ada6b394cee95b9526516338e4342c32b773afa21a7 SSDeep: 6:MFOKZSgnlhWgW5GLsCkyRiENBH0fQ5kQbJRtAt/HP8y1AUaUKm5wXn:0lraFlyRiENBUoFbJIBv8ySm6Xn	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\JQOCYKOH.txt	0.99 KB	MD5: 72ea382b36198a27148aab5f1d348dcf SHA1: a54832a578317e2d3faee12ca664fd9e8ea355ed SHA256: 0e3df950902b1ab87598b3ce3d757c02cc2b0a315185c3349afc7553bf917cb8 SSDeep: 24:YTfyr8b1S4XaWX6j05X6tX0/eX6OkMX0bX637Xxb3Q1XRd50KHVKkXRWHVKkX6Oz:Qr1/XzX6jIX6tX/X6OrX+X637X5g1XRC	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\MM8KB9U2.txt	0.42 KB	MD5: 5cc2e105ff2d69d964117649bd67160d SHA1: b087f166166accb1cbbb309c1050d3a7aa8467c8 SHA256: 1cad1bbc79f2dc24c368b0bc1080a4253f11682b458d6b103d060e16966db4ba SSDeep: 12:9/NQAHX+JQo3Tu9UI30fOO7iIlEd3lmotBN+sADvG4QO8XEp0O3Tu8kXn:9/NQAHdo3T6r2C1vBN+sSv1QO8XrO3Tc	... File Actions Show Properties Download
C:\Users\CIIHMN~1\AppData\Local\Temp\5CDD.bin	0.15 KB	MD5: a02d2224008599066a39c76eb90de6c0 SHA1: 36fa956d9848c14afea1812b6ba735fde55021fe SHA256: 99c10eeaba1c8ea511fb0db85be00aac6751e2f4e991380aebf07241a3476f1b SSDeep: 3:tFoYXBsJaQGQbQoPgcVSRE2J5xAIkLW0HbRQ96MHZaACLkhlTlidgov:tFdXBWQ8gZi23fCvVQ96qNidgy	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\D9QO3KHK.txt	0.26 KB	MD5: dd992b32063ca9d838df6c853fc671db SHA1: 421ee2107e0372866ef3c3970ced55a546bf6101 SHA256: 437027be071e1dc7e108adf484bee7e1df18497ba2cb1d3844588761093c0b75 SSDeep: 6:LnLF/XCoVTyeAIrMz/XIJ/FloVTX9BEbZXn:Lp/bV9AIAz/X0/4V79AXn	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\E978TFRK.txt	0.15 KB	MD5: 6be44de3554a12014e26570be04bdf1a SHA1: 44fabc96184d0d045b87d05d50efe49b21b626dc SHA256: 5f704f35e7f3fd56e614b8d32993735b5108eea115810deaa3592ce837c1648d SSDeep: 3:y8v0GGLd/v7YcJsFXPq4cavXLTMb8TEd/v7YcYTlRZ78X3JcavXn:30RLdPstGkXkOEdSThoukXn	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\RYK7X1K4.txt	0.11 KB	MD5: 940ca1bd61c2553cd9f95a93edc5997e SHA1: 739c28b26f326039315b87eb7d0932bd85d59d88 SHA256: bd86c349ecf385b282c4b93d35ecef3e06e1c0ecc6ba9d51221942d4c108ccc9 SSDeep: 3:1GfFlDZkSDsdmAzu5XuTYelbST/6rUdTOLRCvXn:1GbZOiQGnROLWXn	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\5AFMRGRY.txt	0.20 KB	MD5: e763ee15bebb2fc6de2a805d11c0ad7f SHA1: 8d98b94aeb2f51e4410aebc229b7329d207a20cc SHA256: 452f9dba8ffafb071850743f0b0b9f708c7799ab8f9b8f89df55adca18d86f46 SSDeep: 3:oiRSHddSVIq9DeFWVNDh0Xv7YZVH2ST/J+RaR47CvXWW5+djSoIDh0Xv7YZVH2S+:DS9dYIogSpdFTf4wXWW5ijSdFTR7gXn	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\5ARQYMIV.txt	0.79 KB	MD5: bf408165c746b6f91c2e94516428ce3f SHA1: f4eba85e0ef065c8c27aa4abcd3cceb797ffc8ca SHA256: 4e574e952604e1447aa6ab19b59b412e8515a01892f23a01cfb0c418f73a451b SSDeep: 24:8pKi5UWXHbXuR8jXKWIyMwX6gxWxmwX6fHa0xbnX6kbabYnXQfbL9zfinXn:WBdXHbXuIXKWIHwX6wRwX6f6wnX6kb1R	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\2XBM2EDN.txt	0.20 KB	MD5: 8b51a9ad393e18f9c0bce2e94aafa770 SHA1: 9027543e02b28a0fffaba18cb64848f69fa0622d SHA256: df7ff86575bd65cd23454aa9eaab24755016d5d30c7141ae12b8da3634a6f3d1 SSDeep: 6:s8nqs2S8jaKTyn/LVUSO96N/DArqp38rkUOTWHbpcv:s8z2S8BynzV26N7+qNdRTW74	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\1LFQZEOH.txt	0.11 KB	MD5: 695b6df8ace37000ebcdd4a5ccc58f60 SHA1: c05ce4eac17bf4fe26ed646fcdb44a6fc0572b7b SHA256: 673dc8663a4527c3941c4b83ab3902ca79cb9a606635c82fbfed5eaa54ae04e3 SSDeep: 3:CqEXjFDJT6pch/0E4XvilbGTKPv7YeGSUts9P8dTUCvXn:iXjFdTh/OXvzKaE8RXXn	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\XNW1G0SM.txt	0.11 KB	MD5: 0584bb7512a9cfa5ceae7af231835286 SHA1: d2503f883f6ff49ccabb5100ea965c79a5dd48ff SHA256: f1fa017a59ba4d40e1f63c55343cadf1ea6414c932aabe1c4a86adc5813038f6 SSDeep: 3:KOXPGo3jX6uYOH3XiO4I8VXJRQVvWx5XZ6QcRUVBvn:vXPG2jnlniFPVXfoaXZ6QcRULn	... File Actions Show Properties Download

Modified Files

Filename	File Size	Hash Values	YARA Match	Actions
c:\users\ciihmnxmn6ps\appdata\local\microsoft\windows\inetcache\counters.dat	0.12 KB	MD5: cfd804a9114ed191f2082dc36e51763b SHA1: adc53ea8c3ad7254631fa3df2d5489b9a6862316 SHA256: 90102a533761215cb024dd1003b594eff2e05f63c99f63538519d135d0f47337 SSDeep: 3:/l4l3l:e		... File Actions Show Properties Download

Threads

Thread 0xb38

123

Category	Operation	Information	Count	Logfile
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Security and Maintenance\Providers\COM\{9DAC2C1E-7C5C-40EB-833B-323E85A1CE84}, value_name = Disabled	1	Fn
Registry	Read Value	reg_name = TreatAs, type = REG_NONE	1	Fn
Registry	Read Value	-	1	Fn
Registry	Read Value	value_name = InprocServer32	1	Fn
Registry	Read Value	data = 0	1	Fn
Registry	Read Value	data = C:\Windows\System32\wscinterop.dll	1	Fn
Registry	Read Value	value_name = ThreadingModel, data = Both	1	Fn
Registry	Read Value	reg_name = InprocHandler32	1	Fn
Registry	Read Value	reg_name = InprocHandler	1	Fn
Registry	Read Value	value_name = CheckSetting, type = REG_NONE	10	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Security and Maintenance\Providers\COM\{CA236752-2E77-4386-B63B-0E34774A413D}, value_name = Disabled	1	Fn
Registry	Read Value	reg_name = TreatAs, type = REG_NONE	1	Fn
Registry	Read Value	-	1	Fn
Registry	Read Value	value_name = InprocServer32	1	Fn
Registry	Read Value	data = 0	1	Fn
Registry	Read Value	data = C:\Windows\System32\werconcpl.dll	1	Fn
Registry	Read Value	value_name = ThreadingModel, data = Both	1	Fn
Registry	Read Value	reg_name = InprocHandler32	1	Fn
Registry	Read Value	reg_name = InprocHandler	1	Fn
Registry	Read Value	value_name = Disabled, type = REG_NONE	1	Fn
Registry	Read Value	value_name = CheckSetting, type = REG_NONE	2	Fn
Registry	Read Value	value_name = Disabled, type = REG_NONE	1	Fn
Registry	Read Value	value_name = CheckSetting, type = REG_NONE	2	Fn
Registry	Read Value	value_name = Disabled, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Security and Maintenance\Providers\COM\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}, value_name = Disabled	1	Fn
Registry	Read Value	reg_name = TreatAs, type = REG_NONE	1	Fn
Registry	Read Value	data = 0	1	Fn
Registry	Read Value	data = User Account Control Check Provider	1	Fn
Registry	Read Value	value_name = InprocServer32	1	Fn
Registry	Read Value	data = 0	1	Fn
Registry	Read Value	data = C:\Windows\System32\hcproviders.dll	1	Fn
Registry	Read Value	value_name = ThreadingModel, data = Free	1	Fn
Registry	Read Value	reg_name = InprocHandler32	1	Fn
Registry	Read Value	reg_name = InprocHandler	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System, value_name = EnableLUA, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System, value_name = ConsentPromptBehaviorAdmin, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System, value_name = PromptOnSecureDesktop, type = REG_NONE	1	Fn
Registry	Read Value	value_name = CheckSetting, type = REG_NONE	2	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Security and Maintenance\Providers\COM\{088E8DFB-2464-4C21-BAD2-F0AA6DB5D4BC}, value_name = Disabled	1	Fn
Registry	Read Value	reg_name = TreatAs, type = REG_NONE	1	Fn
Registry	Read Value	data = 0	1	Fn
Registry	Read Value	data = SmartScreen Settings Check Provider	1	Fn
Registry	Read Value	value_name = InprocServer32	1	Fn
Registry	Read Value	data = 0	1	Fn
Registry	Read Value	data = C:\Windows\System32\hcproviders.dll	1	Fn
Registry	Read Value	value_name = ThreadingModel, data = Free	1	Fn
Registry	Read Value	reg_name = InprocHandler32	1	Fn
Registry	Read Value	reg_name = InprocHandler	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System, value_name = EnableSmartScreen, type = REG_NONE	2	Fn
Registry	Read Value	value_name = SmartScreenEnabled, type = REG_NONE	1	Fn
Registry	Read Value	value_name = CheckSetting, type = REG_NONE	2	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Security and Maintenance\Providers\COM\{D26DE5C1-C061-43F7-9C40-7517526CF1C1}, value_name = Disabled	1	Fn
Registry	Read Value	reg_name = TreatAs, type = REG_NONE	1	Fn
Registry	Read Value	data = 0	1	Fn
Registry	Read Value	data = Startup App Check Provider	1	Fn
Registry	Read Value	value_name = InprocServer32	1	Fn
Registry	Read Value	data = 0	1	Fn
Registry	Read Value	data = C:\Windows\System32\hcproviders.dll	1	Fn
Registry	Read Value	value_name = ThreadingModel, data = Free	1	Fn
Registry	Read Value	reg_name = InprocHandler32	1	Fn
Registry	Read Value	reg_name = InprocHandler	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\StartupNotify, value_name = EnableStartupAppNotification, type = REG_NONE	1	Fn
Registry	Read Value	value_name = CheckSetting, type = REG_NONE	2	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Security and Maintenance\Providers\COM\{6AE07DC1-0244-4C6F-9AB0-5017A56357C3}, value_name = Disabled	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Security and Maintenance\Providers\EventLog\{01979c6a-42fa-414c-b8aa-eee2c8202018}, value_name = Disabled	1	Fn
Registry	Read Value	value_name = LastKnownState, type = REG_NONE	1	Fn
Registry	Read Value	value_name = CheckSetting, type = REG_NONE	2	Fn
Registry	Read Value	value_name = CheckSetting, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Security and Maintenance\Providers\EventLog\{11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78}, value_name = Disabled	1	Fn
Registry	Read Value	value_name = LastKnownState, type = REG_NONE	2	Fn
Registry	Read Value	value_name = CheckSetting, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Security and Maintenance\Providers\EventLog\{A5268B8E-7DB5-465b-BAB7-BDCDA39A394A}, value_name = Disabled	1	Fn
Registry	Read Value	value_name = LastKnownState, type = REG_NONE	2	Fn
Registry	Read Value	value_name = CheckSetting, type = REG_NONE	2	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Security and Maintenance\Providers\EventLog\{DE7B24EA-73C8-4A09-985D-5BDADCFA9017}, value_name = Disabled	1	Fn
Registry	Read Value	value_name = CheckSetting, type = REG_NONE	2	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Security and Maintenance\Providers\EventLog\{134EA407-755D-4A93-B8A6-F290CD155023}, value_name = Disabled	1	Fn
Registry	Read Value	value_name = LastKnownState, type = REG_NONE	1	Fn
Registry	Read Value	value_name = CheckSetting, type = REG_NONE	2	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Security and Maintenance\Providers\EventLog\{B447B4DB-7780-11E0-ADA3-18A90531A85A}, value_name = Disabled	1	Fn
Registry	Read Value	value_name = CheckSetting, type = REG_NONE	2	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Security and Maintenance\Providers\EventLog\{3FF37A1C-A68D-4D6E-8C9B-F79E8B16C482}, value_name = Disabled	1	Fn
Registry	Read Value	value_name = CheckSetting, type = REG_NONE	2	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Security and Maintenance\Providers\EventLog\{2374911B-B114-42FE-900D-54F95FEE92E5}, value_name = Disabled	1	Fn
Registry	Read Value	value_name = LastKnownState, type = REG_NONE	1	Fn
Registry	Read Value	value_name = CheckSetting, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Security and Maintenance\Providers\EventLog\{96F4A050-7E31-453C-88BE-9634F4E02139}, value_name = Disabled	1	Fn
Registry	Read Value	value_name = CheckSetting, type = REG_NONE	2	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Security and Maintenance\Providers\EventLog\{AA4C798D-D91B-4B07-A013-787F5803D6FC}, value_name = Disabled	1	Fn
Registry	Read Value	value_name = LastKnownState, type = REG_NONE	1	Fn
Registry	Read Value	value_name = CheckSetting, type = REG_NONE	2	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Security and Maintenance\Providers\EventLog\{34A3697E-0F10-4E48-AF3C-F869B5BABEBB}, value_name = Disabled	1	Fn
Registry	Read Value	value_name = LastKnownState, type = REG_NONE	1	Fn
Registry	Read Value	value_name = CheckSetting, type = REG_NONE	2	Fn
Registry	Read Value	value_name = CheckSetting, type = REG_NONE	3	Fn

Thread 0xb2c

Category	Operation	Information	Count	Logfile
Registry	Read Value	reg_name = TreatAs, type = REG_NONE	1	Fn
Registry	Read Value	data = 0	1	Fn
Registry	Read Value	data = Windows.Networking.Connectivity.ProxyStubFactory	1	Fn
Registry	Read Value	value_name = InprocServer32	1	Fn
Registry	Read Value	data = 0	1	Fn
Registry	Read Value	data = C:\Windows\System32\Windows.Networking.Connectivity.dll	1	Fn
Registry	Read Value	value_name = ThreadingModel, data = Both	1	Fn
Registry	Read Value	reg_name = InprocHandler32	1	Fn
Registry	Read Value	reg_name = InprocHandler	1	Fn
Registry	Read Value	reg_name = TreatAs, type = REG_NONE	1	Fn
Registry	Read Value	data = 0	1	Fn
Registry	Read Value	data = Sync root manager	1	Fn
Registry	Read Value	value_name = InprocServer32	1	Fn
Registry	Read Value	data = 0	1	Fn
Registry	Read Value	data = C:\Windows\System32\shell32.dll	1	Fn
Registry	Read Value	value_name = ThreadingModel, data = Both	1	Fn
Registry	Read Value	reg_name = InprocHandler32	1	Fn
Registry	Read Value	reg_name = InprocHandler	1	Fn
Registry	Read Value	reg_name = TreatAs, type = REG_NONE	1	Fn
Registry	Read Value	data = 0	1	Fn
Registry	Read Value	data = User Account Control Check Service	1	Fn
Registry	Read Value	value_name = InprocServer32	1	Fn
Registry	Read Value	data = 0	1	Fn
Registry	Read Value	data = C:\Windows\System32\hcproviders.dll	1	Fn
Registry	Read Value	value_name = ThreadingModel, data = Apartment	1	Fn
Registry	Read Value	reg_name = InprocHandler32	1	Fn
Registry	Read Value	reg_name = InprocHandler	1	Fn

Thread 0x964

Category	Operation	Information	Count	Logfile
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace, value_name = ValidateRegItems	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace, value_name = MonitorRegistry, data = 1	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\UsersFiles\NameSpace, value_name = ValidateRegItems	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\UsersFiles\NameSpace, value_name = MonitorRegistry	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\UsersFiles\NameSpace\DelegateFolders, value_name = StorageDelegateSuppressionPolicy, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\UsersFiles\NameSpace\DelegateFolders, value_name = StorageDelegate, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = TreatAs, type = REG_NONE	1	Fn
Registry	Read Value	data = 0	1	Fn
Registry	Read Value	data = Shell File System Folder	1	Fn
Registry	Read Value	value_name = InprocServer32	1	Fn
Registry	Read Value	data = 0	1	Fn
Registry	Read Value	data = C:\Windows\system32\Windows.Storage.dll	1	Fn
Registry	Read Value	value_name = ThreadingModel, data = Both	1	Fn
Registry	Read Value	reg_name = InprocHandler32	1	Fn
Registry	Read Value	reg_name = InprocHandler	1	Fn
Registry	Read Value	value_name = UIStatus, type = REG_NONE	1	Fn
Registry	Read Value	value_name = OnlyMember, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = TreatAs, type = REG_NONE	1	Fn
Registry	Read Value	data = 0	1	Fn
Registry	Read Value	data = This PC	1	Fn
Registry	Read Value	value_name = InprocServer32	1	Fn
Registry	Read Value	data = 0	1	Fn
Registry	Read Value	data = C:\Windows\system32\windows.storage.dll	1	Fn
Registry	Read Value	value_name = ThreadingModel, data = Apartment	1	Fn
Registry	Read Value	reg_name = InprocHandler32	1	Fn
Registry	Read Value	reg_name = InprocHandler	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace, value_name = ValidateRegItems	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace, value_name = MonitorRegistry	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\RemovableDrives, value_name = ValidateRegItems	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\RemovableDrives, value_name = MonitorRegistry	1	Fn
Registry	Read Value	reg_name = Storage, value_name = FilterMask, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced, value_name = NeverShowDrivesMask, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced, value_name = HideDrivesWithNoMedia, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = TreatAs, type = REG_NONE	1	Fn
Registry	Read Value	data = 0	1	Fn
Registry	Read Value	data = Property System Both Class Factory	1	Fn
Registry	Read Value	value_name = InprocServer32	1	Fn
Registry	Read Value	data = 0	1	Fn
Registry	Read Value	data = C:\Windows\system32\propsys.dll	1	Fn
Registry	Read Value	value_name = ThreadingModel, data = Both	1	Fn
Registry	Read Value	reg_name = InprocHandler32	1	Fn
Registry	Read Value	reg_name = InprocHandler	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace, value_name = ValidateRegItems	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace, value_name = MonitorRegistry	1	Fn

Thread 0x87c

Category	Operation	Information	Count	Logfile
Registry	Read Value	reg_name = TreatAs, type = REG_NONE	1	Fn
Registry	Read Value	data = 0	1	Fn
Registry	Read Value	data = ShellItem Shell Namespace helper	1	Fn
Module	Get Address	module_name = Unknown module name, function = StrCmpIW, address_out = 0x7ffb4625be50	1	Fn
Registry	Read Value	value_name = InprocServer32	1	Fn
Registry	Read Value	data = 0	1	Fn
Registry	Read Value	data = C:\Windows\system32\windows.storage.dll	1	Fn
Registry	Read Value	value_name = ThreadingModel, data = Both	1	Fn
Registry	Read Value	reg_name = InprocHandler32	1	Fn
Registry	Read Value	reg_name = InprocHandler	1	Fn

Thread 0x878

Category	Operation	Information	Count	Logfile
Registry	Read Value	reg_name = TreatAs, type = REG_NONE	1	Fn
Registry	Read Value	data = 0	1	Fn
Registry	Read Value	data = Immersive Shell	1	Fn
Registry	Read Value	reg_name = InprocHandler32	1	Fn
Registry	Read Value	reg_name = InprocHandler	1	Fn

Thread 0x874

Category	Operation	Information	Count	Logfile
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace, value_name = ValidateRegItems	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace, value_name = MonitorRegistry, data = 1	1	Fn
Registry	Read Value	reg_name = TreatAs, type = REG_NONE	1	Fn
Registry	Read Value	data = 0	1	Fn
Registry	Read Value	data = Thumbnail Cache Class Factory for Out of Proc Server	1	Fn
Registry	Read Value	value_name = InprocServer32	1	Fn
Registry	Read Value	data = 0	1	Fn
Registry	Read Value	data = C:\Windows\System32\thumbcache.dll	1	Fn
Registry	Read Value	value_name = ThreadingModel, data = Apartment	1	Fn
Registry	Read Value	reg_name = InprocHandler32	1	Fn
Registry	Read Value	reg_name = InprocHandler	1	Fn
Registry	Read Value	reg_name = TreatAs, type = REG_NONE	1	Fn
Registry	Read Value	data = 0	1	Fn
Registry	Read Value	data = PSFactoryBuffer	1	Fn
Registry	Read Value	value_name = InprocServer32	1	Fn
Registry	Read Value	data = 0	1	Fn
Registry	Read Value	data = C:\Windows\system32\propsys.dll	1	Fn
Registry	Read Value	value_name = ThreadingModel, data = Both	1	Fn
Registry	Read Value	reg_name = InprocHandler32	1	Fn
Registry	Read Value	reg_name = InprocHandler	1	Fn
Registry	Read Value	reg_name = TreatAs, type = REG_NONE	1	Fn
Registry	Read Value	data = 0	1	Fn
Registry	Read Value	data = Shell Oplock Provider	1	Fn
Registry	Read Value	value_name = InprocServer32	1	Fn
Registry	Read Value	data = 0	1	Fn
Registry	Read Value	data = C:\Windows\system32\shcore.dll	1	Fn
Registry	Read Value	value_name = ThreadingModel, data = Both	1	Fn
Registry	Read Value	reg_name = InprocHandler32	1	Fn
Registry	Read Value	reg_name = InprocHandler	1	Fn

Thread 0x864

Category	Operation	Information	Count	Logfile
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace, value_name = ValidateRegItems	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace, value_name = MonitorRegistry, data = 1	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace, value_name = ValidateRegItems	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace, value_name = MonitorRegistry	1	Fn

Thread 0x858

Category	Operation	Information	Count	Logfile
Registry	Read Value	reg_name = TreatAs, type = REG_NONE	1	Fn
Registry	Read Value	data = 0	1	Fn
Registry	Read Value	data = Immersive Shell	1	Fn
Registry	Read Value	reg_name = InprocHandler32	1	Fn
Registry	Read Value	reg_name = InprocHandler	1	Fn
Registry	Read Value	reg_name = TreatAs, type = REG_NONE	1	Fn
Registry	Read Value	data = 0	1	Fn
Registry	Read Value	data = PSFactoryBuffer	1	Fn
Registry	Read Value	value_name = InprocServer32	1	Fn
Registry	Read Value	data = 0	1	Fn
Registry	Read Value	data = C:\Windows\System32\ActXPrxy.dll	1	Fn
Registry	Read Value	value_name = ThreadingModel, data = Both	1	Fn
Registry	Read Value	reg_name = InprocHandler32	1	Fn
Registry	Read Value	reg_name = InprocHandler	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace, value_name = ValidateRegItems	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace, value_name = MonitorRegistry, data = 1	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace, value_name = ValidateRegItems	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace, value_name = MonitorRegistry	1	Fn

Thread 0x854

Category	Operation	Information	Count	Logfile
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace, value_name = ValidateRegItems	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace, value_name = MonitorRegistry	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached, value_name = {9C73F5E5-7AE7-4E32-A8E8-8D23B85255BF} {000214E6-0000-0000-C000-000000000046} 0xFFFF, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions, value_name = HasFlushedShellExtCache, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = TreatAs, type = REG_NONE	1	Fn
Registry	Read Value	data = 0	1	Fn
Registry	Read Value	data = Sync Center Folder	1	Fn
Registry	Read Value	value_name = InprocServer32	1	Fn
Registry	Read Value	data = 0	1	Fn
Registry	Read Value	data = C:\Windows\System32\SyncCenter.dll	1	Fn
Registry	Read Value	value_name = ThreadingModel, data = Apartment	1	Fn
Registry	Read Value	reg_name = InprocHandler32	1	Fn
Registry	Read Value	reg_name = InprocHandler	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace, value_name = ValidateRegItems	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace, value_name = MonitorRegistry	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace, value_name = ValidateRegItems	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace, value_name = MonitorRegistry	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace, value_name = ValidateRegItems	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace, value_name = MonitorRegistry	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace, value_name = ValidateRegItems	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace, value_name = MonitorRegistry	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace, value_name = ValidateRegItems	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace, value_name = MonitorRegistry	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace, value_name = ValidateRegItems	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace, value_name = MonitorRegistry	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace, value_name = ValidateRegItems	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace, value_name = MonitorRegistry	1	Fn

Thread 0x850

Category	Operation	Information	Count	Logfile
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace, value_name = ValidateRegItems	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace, value_name = MonitorRegistry, data = 1	1	Fn
Registry	Read Value	reg_name = TreatAs, type = REG_NONE	1	Fn
Registry	Read Value	data = 0	1	Fn
Registry	Read Value	data = Local Thumbnail Cache	1	Fn
Registry	Read Value	value_name = InprocServer32	1	Fn
Registry	Read Value	data = 0	1	Fn
Registry	Read Value	data = C:\Windows\System32\thumbcache.dll	1	Fn
Registry	Read Value	value_name = ThreadingModel, data = Apartment	1	Fn
Registry	Read Value	reg_name = InprocHandler32	1	Fn
Registry	Read Value	reg_name = InprocHandler	1	Fn
Registry	Read Value	reg_name = TreatAs, type = REG_NONE	1	Fn
Registry	Read Value	data = 0	1	Fn
Registry	Read Value	data = Home Group Member Status	1	Fn
Registry	Read Value	value_name = InprocServer32	1	Fn
Registry	Read Value	data = 0	1	Fn
Registry	Read Value	data = C:\Windows\System32\provsvc.dll	1	Fn
Registry	Read Value	value_name = ThreadingModel, data = Both	1	Fn
Registry	Read Value	reg_name = InprocHandler32	1	Fn
Registry	Read Value	reg_name = InprocHandler	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace, value_name = ValidateRegItems	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace, value_name = MonitorRegistry	1	Fn
Registry	Read Value	reg_name = TreatAs, type = REG_NONE	1	Fn
Registry	Read Value	data = 0	1	Fn
Registry	Read Value	data = Windows Search Platform	1	Fn
Registry	Read Value	reg_name = InprocHandler32	1	Fn
Registry	Read Value	reg_name = InprocHandler	1	Fn

Thread 0x838

Category	Operation	Information	Count	Logfile
Registry	Read Value	value_name = ActivationType, type = REG_NONE	1	Fn
Registry	Read Value	value_name = Threading, type = REG_NONE	1	Fn
Registry	Read Value	value_name = TrustLevel, type = REG_NONE	1	Fn
Registry	Read Value	value_name = ActivateAsUser, type = REG_NONE	1	Fn
Registry	Read Value	value_name = ActivationType, type = REG_NONE	1	Fn
Registry	Read Value	value_name = Threading, type = REG_NONE	1	Fn
Registry	Read Value	value_name = TrustLevel, type = REG_NONE	1	Fn
Registry	Read Value	value_name = ActivateAsUser, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = TreatAs, type = REG_NONE	1	Fn
Registry	Read Value	data = 0	1	Fn
Registry	Read Value	data = Network List Manager	1	Fn
Registry	Read Value	reg_name = InprocHandler32	1	Fn
Registry	Read Value	reg_name = InprocHandler	1	Fn
Registry	Read Value	value_name = ActivationType, type = REG_NONE	1	Fn
Registry	Read Value	value_name = Threading, type = REG_NONE	1	Fn
Registry	Read Value	value_name = TrustLevel, type = REG_NONE	1	Fn
Registry	Read Value	value_name = ActivateAsUser, type = REG_NONE	1	Fn

Thread 0x828

154

Category	Operation	Information	Count	Logfile
Registry	Read Value	reg_name = TreatAs, type = REG_NONE	1	Fn
Registry	Read Value	-	1	Fn
Registry	Read Value	value_name = InprocServer32	1	Fn
Registry	Read Value	data = 0	1	Fn
Registry	Read Value	data = C:\Windows\system32\windowscodecs.dll	1	Fn
Registry	Read Value	value_name = ThreadingModel, data = Both	1	Fn
Registry	Read Value	reg_name = InprocHandler32	1	Fn
Registry	Read Value	reg_name = InprocHandler	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows, value_name = DisplayVersion, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Control Panel\Desktop, value_name = PaintDesktopVersion, type = REG_NONE	1	Fn
Registry	Read Value	type = REG_NONE	2	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows, value_name = DisplayVersion, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Control Panel\Desktop, value_name = PaintDesktopVersion, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows, value_name = DisplayVersion, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Control Panel\Desktop, value_name = PaintDesktopVersion, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows, value_name = DisplayVersion, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Control Panel\Desktop, value_name = PaintDesktopVersion, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows, value_name = DisplayVersion, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Control Panel\Desktop, value_name = PaintDesktopVersion, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows, value_name = DisplayVersion, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Control Panel\Desktop, value_name = PaintDesktopVersion, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows, value_name = DisplayVersion, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Control Panel\Desktop, value_name = PaintDesktopVersion, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows, value_name = DisplayVersion, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Control Panel\Desktop, value_name = PaintDesktopVersion, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows, value_name = DisplayVersion, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Control Panel\Desktop, value_name = PaintDesktopVersion, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows, value_name = DisplayVersion, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Control Panel\Desktop, value_name = PaintDesktopVersion, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows, value_name = DisplayVersion, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Control Panel\Desktop, value_name = PaintDesktopVersion, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows, value_name = DisplayVersion, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Control Panel\Desktop, value_name = PaintDesktopVersion, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows, value_name = DisplayVersion, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Control Panel\Desktop, value_name = PaintDesktopVersion, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows, value_name = DisplayVersion, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Control Panel\Desktop, value_name = PaintDesktopVersion, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows, value_name = DisplayVersion, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Control Panel\Desktop, value_name = PaintDesktopVersion, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows, value_name = DisplayVersion, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Control Panel\Desktop, value_name = PaintDesktopVersion, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows, value_name = DisplayVersion, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Control Panel\Desktop, value_name = PaintDesktopVersion, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows, value_name = DisplayVersion, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Control Panel\Desktop, value_name = PaintDesktopVersion, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows, value_name = DisplayVersion, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Control Panel\Desktop, value_name = PaintDesktopVersion, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows, value_name = DisplayVersion, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Control Panel\Desktop, value_name = PaintDesktopVersion, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows, value_name = DisplayVersion, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Control Panel\Desktop, value_name = PaintDesktopVersion, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows, value_name = DisplayVersion, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Control Panel\Desktop, value_name = PaintDesktopVersion, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows, value_name = DisplayVersion, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Control Panel\Desktop, value_name = PaintDesktopVersion, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows, value_name = DisplayVersion, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Control Panel\Desktop, value_name = PaintDesktopVersion, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows, value_name = DisplayVersion, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Control Panel\Desktop, value_name = PaintDesktopVersion, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows, value_name = DisplayVersion, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Control Panel\Desktop, value_name = PaintDesktopVersion, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows, value_name = DisplayVersion, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Control Panel\Desktop, value_name = PaintDesktopVersion, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows, value_name = DisplayVersion, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Control Panel\Desktop, value_name = PaintDesktopVersion, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows, value_name = DisplayVersion, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Control Panel\Desktop, value_name = PaintDesktopVersion, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows, value_name = DisplayVersion, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Control Panel\Desktop, value_name = PaintDesktopVersion, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows, value_name = DisplayVersion, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Control Panel\Desktop, value_name = PaintDesktopVersion, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows, value_name = DisplayVersion, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Control Panel\Desktop, value_name = PaintDesktopVersion, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows, value_name = DisplayVersion, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Control Panel\Desktop, value_name = PaintDesktopVersion, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows, value_name = DisplayVersion, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Control Panel\Desktop, value_name = PaintDesktopVersion, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows, value_name = DisplayVersion, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Control Panel\Desktop, value_name = PaintDesktopVersion, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows, value_name = DisplayVersion, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Control Panel\Desktop, value_name = PaintDesktopVersion, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows, value_name = DisplayVersion, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Control Panel\Desktop, value_name = PaintDesktopVersion, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows, value_name = DisplayVersion, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Control Panel\Desktop, value_name = PaintDesktopVersion, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows, value_name = DisplayVersion, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Control Panel\Desktop, value_name = PaintDesktopVersion, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows, value_name = DisplayVersion, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Control Panel\Desktop, value_name = PaintDesktopVersion, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows, value_name = DisplayVersion, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Control Panel\Desktop, value_name = PaintDesktopVersion, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows, value_name = DisplayVersion, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Control Panel\Desktop, value_name = PaintDesktopVersion, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows, value_name = DisplayVersion, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Control Panel\Desktop, value_name = PaintDesktopVersion, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows, value_name = DisplayVersion, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Control Panel\Desktop, value_name = PaintDesktopVersion, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows, value_name = DisplayVersion, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Control Panel\Desktop, value_name = PaintDesktopVersion, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows, value_name = DisplayVersion, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Control Panel\Desktop, value_name = PaintDesktopVersion, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows, value_name = DisplayVersion, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Control Panel\Desktop, value_name = PaintDesktopVersion, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows, value_name = DisplayVersion, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Control Panel\Desktop, value_name = PaintDesktopVersion, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows, value_name = DisplayVersion, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Control Panel\Desktop, value_name = PaintDesktopVersion, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows, value_name = DisplayVersion, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Control Panel\Desktop, value_name = PaintDesktopVersion, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows, value_name = DisplayVersion, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Control Panel\Desktop, value_name = PaintDesktopVersion, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows, value_name = DisplayVersion, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Control Panel\Desktop, value_name = PaintDesktopVersion, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows, value_name = DisplayVersion, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Control Panel\Desktop, value_name = PaintDesktopVersion, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows, value_name = DisplayVersion, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Control Panel\Desktop, value_name = PaintDesktopVersion, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows, value_name = DisplayVersion, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Control Panel\Desktop, value_name = PaintDesktopVersion, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows, value_name = DisplayVersion, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Control Panel\Desktop, value_name = PaintDesktopVersion, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows, value_name = DisplayVersion, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Control Panel\Desktop, value_name = PaintDesktopVersion, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = TreatAs, type = REG_NONE	1	Fn
Registry	Read Value	data = 0	1	Fn
Registry	Read Value	data = Shared Task Scheduler	1	Fn
Registry	Read Value	value_name = InprocServer32	1	Fn
Registry	Read Value	data = 0	1	Fn
Registry	Read Value	data = C:\Windows\system32\windows.storage.dll	1	Fn
Registry	Read Value	value_name = ThreadingModel, data = Apartment	1	Fn
Registry	Read Value	reg_name = InprocHandler32	1	Fn
Registry	Read Value	reg_name = InprocHandler	1	Fn
Registry	Read Value	reg_name = TreatAs, type = REG_NONE	1	Fn
Registry	Read Value	-	1	Fn
Registry	Read Value	value_name = InprocServer32	1	Fn
Registry	Read Value	data = 0	1	Fn
Registry	Read Value	data = C:\Windows\system32\windowscodecs.dll	1	Fn
Registry	Read Value	value_name = ThreadingModel, data = Both	1	Fn
Registry	Read Value	reg_name = InprocHandler32	1	Fn
Registry	Read Value	reg_name = InprocHandler	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows, value_name = DisplayVersion, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Control Panel\Desktop, value_name = PaintDesktopVersion, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = TreatAs, type = REG_NONE	1	Fn
Registry	Read Value	data = 0	1	Fn
Registry	Read Value	data = Shared Task Scheduler	1	Fn
Registry	Read Value	value_name = InprocServer32	1	Fn
Registry	Read Value	data = 0	1	Fn
Registry	Read Value	data = C:\Windows\system32\windows.storage.dll	1	Fn
Registry	Read Value	value_name = ThreadingModel, data = Apartment	1	Fn
Registry	Read Value	reg_name = InprocHandler32	1	Fn
Registry	Read Value	reg_name = InprocHandler	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows, value_name = DisplayVersion, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Control Panel\Desktop, value_name = PaintDesktopVersion, type = REG_NONE	1	Fn

Thread 0x2e0

360

Category	Operation	Information	Count	Logfile
Module	Load	module_name = ntdll.dll, base_address = 0x0	1	Fn
Module	Get Address	function = NtCreateSection, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = NtUnmapViewOfSection, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = NtMapViewOfSection, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = ZwOpenProcessToken, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = ZwClose, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = ZwQueryInformationToken, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = ZwOpenProcess, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = NtQuerySystemInformation, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = RtlNtStatusToDosError, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = ZwQueryInformationProcess, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = RtlImageDirectoryEntryToData, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = _wcsupr, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = _strupr, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = memmove, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = bsearch, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = _vsnwprintf, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = _strlwr, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = atoi, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = strstr, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = wcscpy, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = ZwQueryKey, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = RtlUpcaseUnicodeString, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = RtlFreeUnicodeString, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = sprintf, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = _snprintf, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = memset, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = memcpy, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = strcpy, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = RtlAdjustPrivilege, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = mbstowcs, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = RtlImageNtHeader, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = memcmp, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = __C_specific_handler, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = __chkstk, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Load	module_name = KERNEL32.dll, base_address = 0x0	1	Fn
Module	Get Address	function = GetLocalTime, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = OpenProcess, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = VirtualQueryEx, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = CreateRemoteThread, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = GetModuleFileNameW, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = GetVersion, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = SetEndOfFile, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = RemoveDirectoryW, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = GetTempFileNameA, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = DeleteCriticalSection, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = VirtualAlloc, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = VirtualProtect, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = CloseHandle, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = WriteProcessMemory, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = CreateFileA, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = lstrcmpiA, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = GetModuleFileNameA, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = LoadLibraryA, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = GetCurrentProcess, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = lstrcmpA, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = GetModuleHandleA, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = CreateFileMappingA, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = MapViewOfFile, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = Sleep, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = UnmapViewOfFile, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = GlobalLock, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = lstrlenA, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = GlobalAlloc, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = GlobalUnlock, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = HeapAlloc, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = lstrcpyA, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = GetLastError, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = HeapFree, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = RemoveDirectoryA, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = DeleteFileA, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = lstrcatA, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = WriteFile, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = CreateDirectoryA, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = HeapDestroy, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = HeapCreate, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = SetEvent, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = HeapReAlloc, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = GetTickCount, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = FindNextFileW, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = CopyFileW, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = SetWaitableTimer, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = LocalAlloc, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = GetCurrentThread, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = GetCurrentThreadId, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = lstrlenW, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = GetSystemTimeAsFileTime, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = CreateEventA, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = GetWindowsDirectoryA, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = DeleteFileW, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = CreateDirectoryW, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = CreateWaitableTimerA, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = GetTempPathA, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = FindFirstFileW, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = LocalFree, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = TerminateProcess, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = SuspendThread, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = WaitForMultipleObjects, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = ResumeThread, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = lstrcpyW, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = FileTimeToSystemTime, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = CreateThread, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = CreateFileW, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = ResetEvent, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = SwitchToThread, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = lstrcatW, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = CreateProcessW, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = GetFileSize, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = GetFileAttributesW, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = ExpandEnvironmentStringsW, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = WideCharToMultiByte, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = LeaveCriticalSection, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = SetLastError, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = EnterCriticalSection, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = GetComputerNameA, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = CreateMutexA, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = OpenWaitableTimerA, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = OpenMutexA, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = GetVolumeInformationA, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = WaitForSingleObject, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = ReleaseMutex, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = GetComputerNameW, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = InitializeCriticalSection, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = LoadLibraryExW, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = GetProcAddress, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = VirtualFree, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = GetLogicalDriveStringsW, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = GetFileAttributesA, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = OpenFileMappingA, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = GetExitCodeProcess, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = CreateProcessA, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = lstrcpynA, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = LocalReAlloc, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = TlsAlloc, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = TlsGetValue, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = TlsSetValue, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = LoadLibraryW, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = GetVersionExW, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = FreeLibrary, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = ReadFile, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = SetFilePointer, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = Thread32First, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = QueueUserAPC, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = CreateToolhelp32Snapshot, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = OpenThread, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = Thread32Next, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = FindFirstFileA, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = FindNextFileA, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = ConnectNamedPipe, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = GetOverlappedResult, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = CancelIo, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = DisconnectNamedPipe, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = FlushFileBuffers, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = CallNamedPipeA, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = CreateNamedPipeA, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = GetSystemTime, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = WaitNamedPipeA, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = GetCurrentProcessId, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = SleepEx, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = RemoveVectoredExceptionHandler, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = AddVectoredExceptionHandler, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = OpenEventA, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = lstrcmpiW, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = RaiseException, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = GetSystemInfo, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = Process32NextW, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = Process32FirstW, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = QueueUserWorkItem, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = FileTimeToLocalFileTime, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = FindClose, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = GetDriveTypeW, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = VirtualProtectEx, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Load	module_name = AVIFIL32.dll, base_address = 0x0	1	Fn
Module	Get Address	function = AVIStreamRelease, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = AVIStreamWrite, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = AVIFileOpenA, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = AVIFileCreateStreamA, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = AVIStreamSetFormat, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = AVIFileExit, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = AVIFileInit, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = AVIMakeCompressedStream, ordinal = 0, address_out = 0x324fb60	1	Fn
Module	Get Address	function = AVIFileRelease, ordinal = 0, address_out = 0x324fb60	1	Fn
System	Get Time	type = Ticks, time = 61687	1	Fn
Module	Get Handle	module_name = Unknown module name, base_address = 0x7ff6fa0a0000	1	Fn
System	Get Info	type = Operating System	1	Fn
Module	Get Filename	module_name = AVIFIL32.dll, process_name = c:\windows\explorer.exe, file_name_orig = C:\Windows\Explorer.EXE, size = 260	1	Fn
Module	Get Handle	module_name = KERNEL32.DLL, base_address = 0x7ffb45e10000	1	Fn
Module	Get Address	module_name = Unknown module name, function = IsWow64Process, address_out = 0x7ffb45e2e960	1	Fn
Module	Load	module_name = ADVAPI32.dll, base_address = 0x7ffb47e30000	1	Fn
Module	Get Address	module_name = Unknown module name, function = ConvertStringSecurityDescriptorToSecurityDescriptorA, address_out = 0x7ffb47e4d610	1	Fn
Module	Load	module_name = SHLWAPI.dll, base_address = 0x7ffb46250000	1	Fn
Module	Get Address	module_name = Unknown module name, function = StrRChrA, address_out = 0x7ffb46264dd0	1	Fn
Module	Load	module_name = USER32.dll, base_address = 0x7ffb45c50000	1	Fn
Module	Get Address	module_name = Unknown module name, function = wsprintfA, address_out = 0x7ffb45c72610	1	Fn
Mutex	Create	mutex_name = {3A4129E0-515F-7C10-AB0E-15700F2219A4}	1	Fn
Module	Get Address	module_name = Unknown module name, function = RegOpenKeyA, address_out = 0x7ffb47e4b9e0	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530	1	Fn
Module	Get Address	module_name = Unknown module name, function = RegQueryValueExA, address_out = 0x7ffb47e47dd0	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530, value_name = Ini, type = REG_NONE	1	Fn
Module	Get Address	module_name = Unknown module name, function = RegCloseKey, address_out = 0x7ffb47e472e0	1	Fn
Module	Get Address	module_name = Unknown module name, function = StrToIntExA, address_out = 0x7ffb46264e70	1	Fn
Module	Get Address	module_name = Unknown module name, function = StrChrA, address_out = 0x7ffb46264cc0	1	Fn
Module	Get Address	module_name = Unknown module name, function = StrTrimA, address_out = 0x7ffb46264e80	1	Fn
Module	Get Handle	module_name = KERNEL32.DLL, base_address = 0x7ffb45e10000	1	Fn
Module	Get Handle	module_name = NTDLL.DLL, base_address = 0x7ffb48180000	1	Fn
Module	Get Handle	module_name = kernelbase, base_address = 0x7ffb45670000	1	Fn
Module	Get Address	module_name = Unknown module name, function = GetUserNameA, address_out = 0x7ffb47e5ec40	1	Fn
Module	Get Handle	module_name = NTDLL.DLL, base_address = 0x7ffb48180000	1	Fn
Module	Get Handle	module_name = ADVAPI32.DLL, base_address = 0x7ffb47e30000	1	Fn
Module	Get Handle	module_name = KERNEL32.DLL, base_address = 0x7ffb45e10000	1	Fn
Process	Get Info	type = PROCESS_BASIC_INFORMATION	1	Fn
Module	Get Handle	module_name = KERNEL32.DLL, base_address = 0x7ffb45e10000	1	Fn
Process	Get Info	type = PROCESS_BASIC_INFORMATION	1	Fn
Module	Get Handle	module_name = KERNEL32.DLL, base_address = 0x7ffb45e10000	1	Fn
Process	Get Info	type = PROCESS_BASIC_INFORMATION	1	Fn
Module	Get Handle	module_name = ADVAPI32.DLL, base_address = 0x7ffb47e30000	1	Fn
Process	Get Info	type = PROCESS_BASIC_INFORMATION	1	Fn
Module	Load	module_name = PSAPI.DLL, base_address = 0x7ffb460b0000	1	Fn
Module	Get Address	module_name = Unknown module name, function = EnumProcessModules, address_out = 0x7ffb460b1040	1	Fn
Process	Get Info	type = PROCESS_BASIC_INFORMATION	192	Fn
Module	Get Filename	module_name = AVIFIL32.dll, process_name = c:\windows\explorer.exe, file_name_orig = C:\Windows\Explorer.EXE, size = 260	1	Fn
Module	Get Address	module_name = Unknown module name, function = StrStrIW, address_out = 0x7ffb4625b260	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530, value_name = Install, type = REG_BINARY	2	Fn Data
File	Create	filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\adsldraw\autoclb.exe, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run	1	Fn
Module	Get Address	module_name = Unknown module name, function = RegEnumValueW, address_out = 0x7ffb47e47220	1	Fn
Registry	Enumerate Values	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	1	Fn
Module	Get Address	module_name = Unknown module name, function = RegSetValueExA, address_out = 0x7ffb47e32680	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings, value_name = EnableSPDY3_0, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Get Handle	module_name = kernelbase, base_address = 0x7ffb45670000	1	Fn
Process	Get Info	type = PROCESS_BASIC_INFORMATION	193	Fn
Module	Get Address	module_name = Unknown module name, function = RegCreateKeyA, address_out = 0x7ffb47e76dc0	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530, value_name = Client, type = REG_BINARY	1	Fn Data
System	Get Computer Name	result_out = LHNIWSJ	1	Fn
Module	Get Address	module_name = Unknown module name, function = RegOpenKeyExA, address_out = 0x7ffb47e47d70	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion, value_name = ProductID, data = 48	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion, value_name = ProductName, data = 87	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion, value_name = CurrentVersion, data = 54	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion, value_name = InstallDate, data = 65	1	Fn
Module	Load	module_name = ole32.dll, base_address = 0x7ffb45900000	1	Fn
Module	Get Address	module_name = Unknown module name, function = CreateStreamOnHGlobal, address_out = 0x7ffb466370a0	1	Fn
Module	Get Address	module_name = Unknown module name, function = PathFindFileNameA, address_out = 0x7ffb4625cf30	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530, value_name = {111F6A44-3C4D-6BC7-CED5-30CFE2D96473}, type = REG_NONE	1	Fn
System	Get Time	type = System Time, time = 2018-10-24 19:46:06 (UTC)	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530, value_name = {111F6A44-3C4D-6BC7-CED5-30CFE2D96473}, size = 8, type = REG_BINARY	1	Fn Data
Mutex	Open	mutex_name = Local\{6C433A47-DB67-7E7B-C560-3F92C994E3E6}, desired_access = MUTEX_MODIFY_STATE, SYNCHRONIZE	1	Fn
Mutex	Create	mutex_name = Local\{6C433A47-DB67-7E7B-C560-3F92C994E3E6}	1	Fn
Mutex	Open	mutex_name = Local\{FB999B87-1EC7-E503-005F-32E93403862D}, desired_access = MUTEX_MODIFY_STATE, SYNCHRONIZE	1	Fn
Mutex	Create	mutex_name = Local\{FB999B87-1EC7-E503-005F-32E93403862D}	1	Fn
Mutex	Open	mutex_name = Local\{53667D0F-9637-FD89-3837-2A81EC5BFE45}, desired_access = MUTEX_MODIFY_STATE, SYNCHRONIZE	1	Fn
Mutex	Create	mutex_name = Local\{53667D0F-9637-FD89-3837-2A81EC5BFE45}	1	Fn
Module	Load	module_name = ADVAPI32.DLL, base_address = 0x7ffb47e30000	1	Fn
Module	Get Handle	module_name = ADVAPI32.DLL, base_address = 0x7ffb47e30000	1	Fn
Process	Get Info	type = PROCESS_BASIC_INFORMATION	1	Fn
Process	Get Info	type = PROCESS_BASIC_INFORMATION	193	Fn
File	Create Pipe	pipe_name = pipe\{072bb6f5-baec-d114-fc2b-8e95f08fa299}, open_mode = PIPE_ACCESS_INBOUND, PIPE_ACCESS_OUTBOUND, FILE_FLAG_OVERLAPPED, pipe_mode = PIPE_TYPE_MESSAGE, max_instances = 255	1	Fn

Thread 0x7fc

Category	Operation	Information	Success	Count	Logfile
System	Sleep	duration = -1 (infinite)		1	Fn

Thread 0x42c

Category	Operation	Information	Count	Logfile
Module	Get Address	module_name = Unknown module name, function = SetWindowsHookExA, address_out = 0x7ffb45c527a0	1	Fn
System	Register Hook	type = WH_KEYBOARD_LL, hookproc_address = 0xcb2045c	1	Fn
System	Get Time	type = Ticks, time = 62109	1	Fn
Module	Get Address	module_name = Unknown module name, function = RegisterClassA, address_out = 0x7ffb45c71310	1	Fn
Module	Get Address	module_name = Unknown module name, function = CreateWindowExA, address_out = 0x7ffb45c74df0	1	Fn
Window	Create	class_name = {8F4BB7B2-3369-65B4-0683-9A6728ADDC31}, wndproc_parameter = 213219456	1	Fn
Module	Get Address	module_name = Unknown module name, function = GetWindowLongPtrA, address_out = 0x7ffb45c5cae0	1	Fn
Module	Get Address	module_name = Unknown module name, function = DefWindowProcA, address_out = 0x7ffb48213230	1	Fn
Module	Get Address	module_name = Unknown module name, function = SetWindowLongPtrA, address_out = 0x7ffb45c661f0	1	Fn
Module	Get Address	module_name = Unknown module name, function = GetMessageA, address_out = 0x7ffb45c6aa50	1	Fn
Module	Get Address	module_name = Unknown module name, function = TranslateMessage, address_out = 0x7ffb45c636a0	1	Fn
Module	Get Address	module_name = Unknown module name, function = DispatchMessageA, address_out = 0x7ffb45c761e0	1	Fn

Thread 0x7d8

Category	Operation	Information	Count	Logfile
System	Get Time	type = Ticks, time = 62125	1	Fn
Window	Create	class_name = {41A6C2A8-C5E7-0A1A-5CB1-5075EE0B026F}, wndproc_parameter = 213219088	1	Fn
Module	Get Address	module_name = Unknown module name, function = SetClipboardViewer, address_out = 0x7ffb45c80de0	1	Fn
Module	Get Address	module_name = Unknown module name, function = PostMessageA, address_out = 0x7ffb45c74900	1	Fn
Module	Get Address	module_name = Unknown module name, function = OpenClipboard, address_out = 0x7ffb45c7b6c0	1	Fn
Module	Get Address	module_name = Unknown module name, function = GetClipboardData, address_out = 0x7ffb45c7aba0	1	Fn
System	Get Clipboard	format = 1	1	Fn
Module	Get Address	module_name = Unknown module name, function = CloseClipboard, address_out = 0x7ffb45c80920	1	Fn

Thread 0x7c0

Category	Operation	Information	Count	Logfile
System	Sleep	duration = -1 (infinite)	1	Fn
File	Read	size = 12, size_out = 0	1	Fn
System	Sleep	duration = 10000 milliseconds (10.000 seconds)	1	Fn
File	Write	size = 12	1	Fn Data
System	Sleep	duration = -1 (infinite)	1	Fn
File	Read	size = 12, size_out = 0	1	Fn
System	Sleep	duration = 10000 milliseconds (10.000 seconds)	1	Fn
File	Write	size = 12	1	Fn Data
System	Sleep	duration = -1 (infinite)	1	Fn
File	Read	size = 12, size_out = 0	1	Fn
System	Sleep	duration = 10000 milliseconds (10.000 seconds)	1	Fn
File	Write	size = 12	1	Fn Data
System	Sleep	duration = -1 (infinite)	1	Fn
File	Read	size = 12, size_out = 0	1	Fn
System	Sleep	duration = 10000 milliseconds (10.000 seconds)	1	Fn
File	Write	size = 12	1	Fn Data
System	Sleep	duration = -1 (infinite)	1	Fn
File	Read	size = 12, size_out = 0	1	Fn
System	Sleep	duration = 10000 milliseconds (10.000 seconds)	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{5A76122F-F1D1-9CA2-4B2E-B590AF42B9C4}, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
File	Write	size = 12	1	Fn Data
System	Sleep	duration = -1 (infinite)	1	Fn
File	Read	size = 12, size_out = 0	1	Fn
System	Sleep	duration = 10000 milliseconds (10.000 seconds)	1	Fn
File	Read	size = 96, size_out = 96	1	Fn Data
System	Get Time	type = System Time, time = 2018-10-24 19:46:49 (UTC)	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{25E2F79F-402D-9FBF-7229-7443C66DE827}	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{25E2F79F-402D-9FBF-7229-7443C66DE827}\01D46BD24DAB98E809, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{25E2F79F-402D-9FBF-7229-7443C66DE827}\01D46BD24DAB98E809, size = 96	1	Fn Data
File	Write	size = 12	1	Fn Data
System	Sleep	duration = -1 (infinite)	1	Fn
File	Read	size = 12, size_out = 0	1	Fn
System	Sleep	duration = 10000 milliseconds (10.000 seconds)	1	Fn
File	Write	size = 12	1	Fn Data
System	Sleep	duration = -1 (infinite)	1	Fn

Thread 0xbe0

116

Category	Operation	Information	Count	Logfile
Mutex	Open	mutex_name = Local\{6C433A47-DB67-7E7B-C560-3F92C994E3E6}, desired_access = MUTEX_MODIFY_STATE, SYNCHRONIZE	1	Fn
Mutex	Open	mutex_name = Local\{FB999B87-1EC7-E503-005F-32E93403862D}, desired_access = MUTEX_MODIFY_STATE, SYNCHRONIZE	1	Fn
Mutex	Open	mutex_name = Local\{53667D0F-9637-FD89-3837-2A81EC5BFE45}, desired_access = MUTEX_MODIFY_STATE, SYNCHRONIZE	1	Fn
System	Sleep	duration = -1 (infinite)	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530, value_name = {36CFCEF2-1DFD-D85B-57CA-A18C7B9E6580}, type = REG_NONE	1	Fn
System	Get Time	type = System Time, time = 2018-10-24 19:46:46 (UTC)	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530, value_name = {36CFCEF2-1DFD-D85B-57CA-A18C7B9E6580}, size = 8, type = REG_BINARY	1	Fn Data
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\SecureBrain\PhishWall	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530, value_name = Client, size = 40, type = REG_BINARY	1	Fn Data
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530, value_name = Client, size = 40, type = REG_BINARY	1	Fn Data
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530, value_name = Client, size = 40, type = REG_BINARY	1	Fn Data
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530, value_name = Client, size = 40, type = REG_BINARY	1	Fn Data
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530\Run	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530	1	Fn
Module	Get Address	module_name = Unknown module name, function = RegNotifyChangeKeyValue, address_out = 0x7ffb47e48fd0	1	Fn
System	Sleep	duration = -1 (infinite)	1	Fn
Mutex	Release	mutex_name = Local\{FB999B87-1EC7-E503-005F-32E93403862D}	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530, value_name = LastTask, type = REG_NONE	1	Fn
File	Create	filename = \\.\pipe\{072BB6F5-BAEC-D114-FC2B-8E95F08FA299}, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OVERLAPPED	1	Fn
File	Write	filename = \\.\pipe\{072BB6F5-BAEC-D114-FC2B-8E95F08FA299}, size = 12	1	Fn Data
File	Read	filename = \\.\pipe\{072BB6F5-BAEC-D114-FC2B-8E95F08FA299}, size = 12, size_out = 12	1	Fn Data
File	Read	filename = \\.\pipe\{072BB6F5-BAEC-D114-FC2B-8E95F08FA299}, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 102343	2	Fn
Module	Load	module_name = WININET.dll, base_address = 0x7ffb3cf60000	1	Fn
Module	Get Address	module_name = Unknown module name, function = FindFirstUrlCacheEntryA, address_out = 0x7ffb3d012120	1	Fn
Registry	Read Value	value_name = CacheLimit, type = REG_NONE	3	Fn
Module	Get Address	module_name = Unknown module name, function = StrStrIA, address_out = 0x7ffb4625e1c0	1	Fn
Module	Get Address	module_name = Unknown module name, function = FindNextUrlCacheEntryA, address_out = 0x7ffb3cfe7bf0	1	Fn
Module	Get Address	module_name = Unknown module name, function = FindCloseUrlCache, address_out = 0x7ffb3cfb2470	1	Fn
Module	Get Address	module_name = Unknown module name, function = InternetCanonicalizeUrlA, address_out = 0x7ffb3d0871b0	1	Fn
Module	Get Address	module_name = Unknown module name, function = InternetOpenA, address_out = 0x7ffb3cf81400	1	Fn
Inet	Open Session	user_agent = Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64), access_type = INTERNET_OPEN_TYPE_PRECONFIG, flags = INTERNET_FLAG_ASYNC	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001, value_name = explorer.exe, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001, value_name = *, type = REG_NONE	1	Fn
Registry	Read Value	value_name = explorer.exe, type = REG_NONE	1	Fn
Registry	Read Value	value_name = explorer.exe, type = REG_NONE	1	Fn
Registry	Read Value	value_name = *, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings, value_name = ProxySettingsPerUser, type = REG_NONE	1	Fn
Registry	Read Value	value_name = Enable	1	Fn
Module	Get Address	module_name = Unknown module name, function = InternetSetStatusCallback, address_out = 0x7ffb3d0156e0	1	Fn
Module	Get Address	module_name = Unknown module name, function = InternetConnectA, address_out = 0x7ffb3d0878f0	1	Fn
Inet	Open Connection	protocol = HTTP, server_name = purbs.com, server_port = 443	1	Fn
Module	Get Address	module_name = Unknown module name, function = HttpOpenRequestA, address_out = 0x7ffb3d0b30a0	1	Fn
Inet	Open HTTP Request	http_verb = GET, http_version = HTTP/1.1, target_resource = /images/0RcBpczPE/RnhzOHSVr1TpkbdctKZT/tTrk4jpxXKbv4CH_2FI/eIKRtAHsz9aO225_2Fj6qM/0l2NhR4hPnXQU/C4DFMHnY/jvQJc5X0nMDMkjvqSXmHQya/KjFeI9lcAI/Ga_2Bm0j4eSP3wN17/ZET_2B0KJsbG/8ojG32FFsWP/OSJ2lf7AtmHU2V/YE32C2I3o/A0lbECMv/wP58m.gif, accept_types = 0, flags = INTERNET_FLAG_CACHE_ASYNC, INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD	1	Fn
Module	Get Address	module_name = Unknown module name, function = InternetQueryOptionA, address_out = 0x7ffb3cf83cc0	1	Fn
Module	Get Address	module_name = Unknown module name, function = InternetSetOptionA, address_out = 0x7ffb3cf97f00	1	Fn
Module	Get Address	module_name = Unknown module name, function = HttpSendRequestA, address_out = 0x7ffb3cf63330	1	Fn
Inet	Send HTTP Request	headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = purbs.com/images/0RcBpczPE/RnhzOHSVr1TpkbdctKZT/tTrk4jpxXKbv4CH_2FI/eIKRtAHsz9aO225_2Fj6qM/0l2NhR4hPnXQU/C4DFMHnY/jvQJc5X0nMDMkjvqSXmHQya/KjFeI9lcAI/Ga_2Bm0j4eSP3wN17/ZET_2B0KJsbG/8ojG32FFsWP/OSJ2lf7AtmHU2V/YE32C2I3o/A0lbECMv/wP58m.gif	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
Module	Get Address	module_name = Unknown module name, function = InternetReadFile, address_out = 0x7ffb3cf83350	1	Fn
Inet	Read Response	size = 4096, size_out = 0	1	Fn
Module	Get Address	module_name = Unknown module name, function = HttpQueryInfoA, address_out = 0x7ffb3cf97140	1	Fn
Inet	Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4	1	Fn Data
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
Module	Get Address	module_name = Unknown module name, function = InternetCloseHandle, address_out = 0x7ffb3cfbe110	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530\Files	1	Fn
Module	Get Address	module_name = Unknown module name, function = RegEnumValueA, address_out = 0x7ffb47e60f00	1	Fn
Registry	Enumerate Values	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530\Files	1	Fn
System	Get Time	type = Ticks, time = 115953	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\6581.bin, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\6581.bin, type = size	1	Fn
Module	Create Mapping	module_name = C:\Users\CIIHMN~1\AppData\Local\Temp\6581.bin, filename = C:\Users\CIIHMN~1\AppData\Local\Temp\6581.bin, protection = PAGE_READONLY, maximum_size = 161	1	Fn
Module	Map	C:\Users\CIIHMN~1\AppData\Local\Temp\6581.bin, process_name = c:\windows\explorer.exe, desired_access = FILE_MAP_READ	1	Fn
Inet	Open Session	user_agent = Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64), access_type = INTERNET_OPEN_TYPE_PRECONFIG, flags = INTERNET_FLAG_ASYNC	1	Fn
Inet	Open Connection	protocol = HTTP, server_name = purbs.com, server_port = 443	1	Fn
Inet	Open HTTP Request	http_verb = POST, http_version = HTTP/1.1, target_resource = /images/1Q3QMp_2FQ9TaHUd55/2fUhLiOJz/UZpd10_2F4v11yd6tdEO/MohIps62L2eIP1oRxg5/no0UUUC1aLYuV6OL9h7PIj/LPrgPDCAp9Zn9/n6_2FgkT/sLE4yJyGujc1o7gvbb6R6Zu/On3_2BTEFj/Y5QMrTbqya4730lFX/p6nGWi7rnU2D/tQdxI_2FwJd/eLntUhSEHNXLXk/RBBBMhlmkhAuDQ7oluvfk/UoN_2FsN/9.bmp, accept_types = 0, flags = INTERNET_FLAG_CACHE_ASYNC, INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD	1	Fn
System	Get Time	type = Ticks, time = 115953	1	Fn
Module	Get Address	module_name = Unknown module name, function = HttpAddRequestHeadersA, address_out = 0x7ffb3cfcf3e0	1	Fn
Inet	Add HTTP Request Headers	headers = Content-Type: multipart/form-data; boundary=--------------------------1146d711146d711146d71	1	Fn
Inet	Send HTTP Request	headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = purbs.com/images/1Q3QMp_2FQ9TaHUd55/2fUhLiOJz/UZpd10_2F4v11yd6tdEO/MohIps62L2eIP1oRxg5/no0UUUC1aLYuV6OL9h7PIj/LPrgPDCAp9Zn9/n6_2FgkT/sLE4yJyGujc1o7gvbb6R6Zu/On3_2BTEFj/Y5QMrTbqya4730lFX/p6nGWi7rnU2D/tQdxI_2FwJd/eLntUhSEHNXLXk/RBBBMhlmkhAuDQ7oluvfk/UoN_2FsN/9.bmp	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
Inet	Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4	1	Fn Data
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn
Module	Get Address	module_name = Unknown module name, function = RegDeleteValueA, address_out = 0x7ffb47e32960	1	Fn
Registry	Delete Value	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530\Files, value_name = 2B1905BE3AD836430F	1	Fn
Module	Unmap	process_name = c:\windows\explorer.exe	1	Fn
System	Get Time	type = System Time, time = 2018-10-24 19:47:00 (UTC)	1	Fn
Registry	Enumerate Values	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530\Files	1	Fn
System	Sleep	duration = -1 (infinite)	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530, value_name = Client, type = REG_BINARY	1	Fn Data
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530, value_name = Ini, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530, value_name = Exec, type = REG_NONE	1	Fn
System	Sleep	duration = -1 (infinite)	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530, value_name = Client, type = REG_BINARY	1	Fn Data
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530, value_name = Ini, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530, value_name = Exec, type = REG_NONE	1	Fn
System	Sleep	duration = -1 (infinite)	2	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530, value_name = Client, type = REG_BINARY	1	Fn Data
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530, value_name = Ini, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530, value_name = Exec, type = REG_NONE	1	Fn
System	Sleep	duration = -1 (infinite)	1	Fn

Thread 0x558

3252

Category	Operation	Information	Count	Logfile
Module	Get Address	module_name = Unknown module name, function = CoInitializeEx, address_out = 0x7ffb46683170	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Account Manager	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Account Manager, value_name = Outlook, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Account Manager	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Account Manager, value_name = Outlook, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	63	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings	63	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	63	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook	63	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook	24	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	1	Fn
Module	Get Address	module_name = Unknown module name, function = RegEnumKeyExA, address_out = 0x7ffb47e325d0	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\03fea8ae12202041b643a9691e5b323c	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\03fea8ae12202041b643a9691e5b323c	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab, value_name = SMTP Email Address	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab, value_name = SMTP Server	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab, value_name = POP3 Server	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab, value_name = POP3 User Name	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab, value_name = SMTP User Name	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab, value_name = NNTP Email Address	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab, value_name = NNTP User Name	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab, value_name = NNTP Server	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab, value_name = IMAP Server	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab, value_name = IMAP User Name	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab, value_name = Email	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab, value_name = HTTP User	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab, value_name = HTTP Server URL	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab, value_name = POP3 User	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab, value_name = IMAP User	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab, value_name = HTTPMail User Name	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab, value_name = HTTPMail Server	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab, value_name = SMTP User	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab, value_name = POP3 Password2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab, value_name = IMAP Password2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab, value_name = NNTP Password2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab, value_name = HTTPMail Password2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab, value_name = SMTP Password2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab, value_name = POP3 Password	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab, value_name = IMAP Password	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab, value_name = NNTP Password	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab, value_name = HTTP Password	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab, value_name = SMTP Password	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab, value_name = POP3 Port, data = 0, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab, value_name = SMTP Port, data = 0, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab, value_name = IMAP Port, data = 0, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab, value_name = SMTP Email Address	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab, value_name = SMTP Server	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab, value_name = POP3 Server	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab, value_name = POP3 User Name	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab, value_name = SMTP User Name	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab, value_name = NNTP Email Address	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab, value_name = NNTP User Name	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab, value_name = NNTP Server	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab, value_name = IMAP Server	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab, value_name = IMAP User Name	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab, value_name = Email	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab, value_name = HTTP User	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab, value_name = HTTP Server URL	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab, value_name = POP3 User	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab, value_name = IMAP User	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab, value_name = HTTPMail User Name	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab, value_name = HTTPMail Server	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab, value_name = SMTP User	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab, value_name = POP3 Password2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab, value_name = IMAP Password2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab, value_name = NNTP Password2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab, value_name = HTTPMail Password2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab, value_name = SMTP Password2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab, value_name = POP3 Password	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab, value_name = IMAP Password	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab, value_name = NNTP Password	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab, value_name = HTTP Password	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab, value_name = SMTP Password	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab, value_name = POP3 Port, data = 0, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab, value_name = SMTP Port, data = 0, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab, value_name = IMAP Port, data = 0, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046, value_name = SMTP Email Address	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046, value_name = SMTP Server	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046, value_name = POP3 Server	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046, value_name = POP3 User Name	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046, value_name = SMTP User Name	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046, value_name = NNTP Email Address	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046, value_name = NNTP User Name	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046, value_name = NNTP Server	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046, value_name = IMAP Server	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046, value_name = IMAP User Name	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046, value_name = Email	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046, value_name = HTTP User	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046, value_name = HTTP Server URL	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046, value_name = POP3 User	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046, value_name = IMAP User	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046, value_name = HTTPMail User Name	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046, value_name = HTTPMail Server	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046, value_name = SMTP User	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046, value_name = POP3 Password2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046, value_name = IMAP Password2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046, value_name = NNTP Password2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046, value_name = HTTPMail Password2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046, value_name = SMTP Password2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046, value_name = POP3 Password	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046, value_name = IMAP Password	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046, value_name = NNTP Password	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046, value_name = HTTP Password	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046, value_name = SMTP Password	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046, value_name = POP3 Port, data = 0, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046, value_name = SMTP Port, data = 0, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046, value_name = IMAP Port, data = 0, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046, value_name = SMTP Email Address	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046, value_name = SMTP Server	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046, value_name = POP3 Server	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046, value_name = POP3 User Name	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046, value_name = SMTP User Name	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046, value_name = NNTP Email Address	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046, value_name = NNTP User Name	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046, value_name = NNTP Server	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046, value_name = IMAP Server	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046, value_name = IMAP User Name	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046, value_name = Email	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046, value_name = HTTP User	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046, value_name = HTTP Server URL	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046, value_name = POP3 User	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046, value_name = IMAP User	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046, value_name = HTTPMail User Name	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046, value_name = HTTPMail Server	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046, value_name = SMTP User	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046, value_name = POP3 Password2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046, value_name = IMAP Password2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046, value_name = NNTP Password2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046, value_name = HTTPMail Password2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046, value_name = SMTP Password2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046, value_name = POP3 Password	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046, value_name = IMAP Password	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046, value_name = NNTP Password	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046, value_name = HTTP Password	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046, value_name = SMTP Password	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046, value_name = POP3 Port, data = 0, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046, value_name = SMTP Port, data = 0, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046, value_name = IMAP Port, data = 0, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a, value_name = SMTP Email Address	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a, value_name = SMTP Server	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a, value_name = POP3 Server	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a, value_name = POP3 User Name	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a, value_name = SMTP User Name	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a, value_name = NNTP Email Address	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a, value_name = NNTP User Name	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a, value_name = NNTP Server	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a, value_name = IMAP Server	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a, value_name = IMAP User Name	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a, value_name = Email	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a, value_name = HTTP User	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a, value_name = HTTP Server URL	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a, value_name = POP3 User	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a, value_name = IMAP User	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a, value_name = HTTPMail User Name	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a, value_name = HTTPMail Server	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a, value_name = SMTP User	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a, value_name = POP3 Password2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a, value_name = IMAP Password2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a, value_name = NNTP Password2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a, value_name = HTTPMail Password2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a, value_name = SMTP Password2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a, value_name = POP3 Password	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a, value_name = IMAP Password	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a, value_name = NNTP Password	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a, value_name = HTTP Password	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a, value_name = SMTP Password	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a, value_name = POP3 Port, data = 0, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a, value_name = SMTP Port, data = 0, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a, value_name = IMAP Port, data = 0, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a, value_name = SMTP Email Address	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a, value_name = SMTP Server	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a, value_name = POP3 Server	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a, value_name = POP3 User Name	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a, value_name = SMTP User Name	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a, value_name = NNTP Email Address	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a, value_name = NNTP User Name	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a, value_name = NNTP Server	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a, value_name = IMAP Server	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a, value_name = IMAP User Name	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a, value_name = Email	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a, value_name = HTTP User	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a, value_name = HTTP Server URL	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a, value_name = POP3 User	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a, value_name = IMAP User	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a, value_name = HTTPMail User Name	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a, value_name = HTTPMail Server	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a, value_name = SMTP User	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a, value_name = POP3 Password2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a, value_name = IMAP Password2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a, value_name = NNTP Password2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a, value_name = HTTPMail Password2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a, value_name = SMTP Password2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a, value_name = POP3 Password	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a, value_name = IMAP Password	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a, value_name = NNTP Password	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a, value_name = HTTP Password	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a, value_name = SMTP Password	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a, value_name = POP3 Port, data = 0, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a, value_name = SMTP Port, data = 0, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a, value_name = IMAP Port, data = 0, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604, value_name = SMTP Email Address	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604, value_name = SMTP Server	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604, value_name = POP3 Server	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604, value_name = POP3 User Name	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604, value_name = SMTP User Name	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604, value_name = NNTP Email Address	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604, value_name = NNTP User Name	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604, value_name = NNTP Server	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604, value_name = IMAP Server	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604, value_name = IMAP User Name	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604, value_name = Email	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604, value_name = HTTP User	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604, value_name = HTTP Server URL	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604, value_name = POP3 User	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604, value_name = IMAP User	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604, value_name = HTTPMail User Name	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604, value_name = HTTPMail Server	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604, value_name = SMTP User	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604, value_name = POP3 Password2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604, value_name = IMAP Password2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604, value_name = NNTP Password2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604, value_name = HTTPMail Password2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604, value_name = SMTP Password2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604, value_name = POP3 Password	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604, value_name = IMAP Password	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604, value_name = NNTP Password	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604, value_name = HTTP Password	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604, value_name = SMTP Password	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604, value_name = POP3 Port, data = 0, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604, value_name = SMTP Port, data = 0, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604, value_name = IMAP Port, data = 0, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604, value_name = SMTP Email Address	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604, value_name = SMTP Server	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604, value_name = POP3 Server	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604, value_name = POP3 User Name	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604, value_name = SMTP User Name	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604, value_name = NNTP Email Address	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604, value_name = NNTP User Name	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604, value_name = NNTP Server	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604, value_name = IMAP Server	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604, value_name = IMAP User Name	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604, value_name = Email	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604, value_name = HTTP User	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604, value_name = HTTP Server URL	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604, value_name = POP3 User	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604, value_name = IMAP User	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604, value_name = HTTPMail User Name	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604, value_name = HTTPMail Server	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604, value_name = SMTP User	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604, value_name = POP3 Password2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604, value_name = IMAP Password2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604, value_name = NNTP Password2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604, value_name = HTTPMail Password2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604, value_name = SMTP Password2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604, value_name = POP3 Password	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604, value_name = IMAP Password	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604, value_name = NNTP Password	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604, value_name = HTTP Password	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604, value_name = SMTP Password	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604, value_name = POP3 Port, data = 0, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604, value_name = SMTP Port, data = 0, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604, value_name = IMAP Port, data = 0, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831, value_name = SMTP Email Address	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831, value_name = SMTP Server	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831, value_name = POP3 Server	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831, value_name = POP3 User Name	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831, value_name = SMTP User Name	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831, value_name = NNTP Email Address	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831, value_name = NNTP User Name	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831, value_name = NNTP Server	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831, value_name = IMAP Server	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831, value_name = IMAP User Name	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831, value_name = Email	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831, value_name = HTTP User	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831, value_name = HTTP Server URL	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831, value_name = POP3 User	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831, value_name = IMAP User	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831, value_name = HTTPMail User Name	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831, value_name = HTTPMail Server	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831, value_name = SMTP User	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831, value_name = POP3 Password2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831, value_name = IMAP Password2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831, value_name = NNTP Password2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831, value_name = HTTPMail Password2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831, value_name = SMTP Password2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831, value_name = POP3 Password	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831, value_name = IMAP Password	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831, value_name = NNTP Password	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831, value_name = HTTP Password	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831, value_name = SMTP Password	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831, value_name = POP3 Port, data = 0, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831, value_name = SMTP Port, data = 0, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831, value_name = IMAP Port, data = 0, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831, value_name = SMTP Email Address	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831, value_name = SMTP Server	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831, value_name = POP3 Server	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831, value_name = POP3 User Name	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831, value_name = SMTP User Name	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831, value_name = NNTP Email Address	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831, value_name = NNTP User Name	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831, value_name = NNTP Server	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831, value_name = IMAP Server	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831, value_name = IMAP User Name	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831, value_name = Email	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831, value_name = HTTP User	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831, value_name = HTTP Server URL	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831, value_name = POP3 User	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831, value_name = IMAP User	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831, value_name = HTTPMail User Name	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831, value_name = HTTPMail Server	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831, value_name = SMTP User	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831, value_name = POP3 Password2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831, value_name = IMAP Password2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831, value_name = NNTP Password2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831, value_name = HTTPMail Password2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831, value_name = SMTP Password2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831, value_name = POP3 Password	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831, value_name = IMAP Password	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831, value_name = NNTP Password	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831, value_name = HTTP Password	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831, value_name = SMTP Password	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831, value_name = POP3 Port, data = 0, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831, value_name = SMTP Port, data = 0, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831, value_name = IMAP Port, data = 0, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec, value_name = SMTP Email Address	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec, value_name = SMTP Server	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec, value_name = POP3 Server	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec, value_name = POP3 User Name	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec, value_name = SMTP User Name	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec, value_name = NNTP Email Address	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec, value_name = NNTP User Name	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec, value_name = NNTP Server	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec, value_name = IMAP Server	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec, value_name = IMAP User Name	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec, value_name = Email	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec, value_name = HTTP User	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec, value_name = HTTP Server URL	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec, value_name = POP3 User	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec, value_name = IMAP User	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec, value_name = HTTPMail User Name	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec, value_name = HTTPMail Server	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec, value_name = SMTP User	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec, value_name = POP3 Password2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec, value_name = IMAP Password2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec, value_name = NNTP Password2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec, value_name = HTTPMail Password2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec, value_name = SMTP Password2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec, value_name = POP3 Password	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec, value_name = IMAP Password	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec, value_name = NNTP Password	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec, value_name = HTTP Password	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec, value_name = SMTP Password	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec, value_name = POP3 Port, data = 0, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec, value_name = SMTP Port, data = 0, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec, value_name = IMAP Port, data = 0, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec, value_name = SMTP Email Address	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec, value_name = SMTP Server	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec, value_name = POP3 Server	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec, value_name = POP3 User Name	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec, value_name = SMTP User Name	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec, value_name = NNTP Email Address	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec, value_name = NNTP User Name	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec, value_name = NNTP Server	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec, value_name = IMAP Server	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec, value_name = IMAP User Name	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec, value_name = Email	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec, value_name = HTTP User	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec, value_name = HTTP Server URL	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec, value_name = POP3 User	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec, value_name = IMAP User	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec, value_name = HTTPMail User Name	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec, value_name = HTTPMail Server	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec, value_name = SMTP User	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec, value_name = POP3 Password2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec, value_name = IMAP Password2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec, value_name = NNTP Password2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec, value_name = HTTPMail Password2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec, value_name = SMTP Password2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec, value_name = POP3 Password	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec, value_name = IMAP Password	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec, value_name = NNTP Password	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec, value_name = HTTP Password	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec, value_name = SMTP Password	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec, value_name = POP3 Port, data = 0, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec, value_name = SMTP Port, data = 0, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec, value_name = IMAP Port, data = 0, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046, value_name = SMTP Email Address	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046, value_name = SMTP Server	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046, value_name = POP3 Server	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046, value_name = POP3 User Name	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046, value_name = SMTP User Name	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046, value_name = NNTP Email Address	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046, value_name = NNTP User Name	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046, value_name = NNTP Server	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046, value_name = IMAP Server	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046, value_name = IMAP User Name	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046, value_name = Email	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046, value_name = HTTP User	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046, value_name = HTTP Server URL	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046, value_name = POP3 User	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046, value_name = IMAP User	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046, value_name = HTTPMail User Name	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046, value_name = HTTPMail Server	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046, value_name = SMTP User	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046, value_name = POP3 Password2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046, value_name = IMAP Password2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046, value_name = NNTP Password2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046, value_name = HTTPMail Password2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046, value_name = SMTP Password2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046, value_name = POP3 Password	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046, value_name = IMAP Password	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046, value_name = NNTP Password	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046, value_name = HTTP Password	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046, value_name = SMTP Password	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046, value_name = POP3 Port, data = 0, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046, value_name = SMTP Port, data = 0, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046, value_name = IMAP Port, data = 0, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046, value_name = SMTP Email Address	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046, value_name = SMTP Server	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046, value_name = POP3 Server	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046, value_name = POP3 User Name	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046, value_name = SMTP User Name	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046, value_name = NNTP Email Address	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046, value_name = NNTP User Name	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046, value_name = NNTP Server	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046, value_name = IMAP Server	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046, value_name = IMAP User Name	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046, value_name = Email	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046, value_name = HTTP User	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046, value_name = HTTP Server URL	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046, value_name = POP3 User	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046, value_name = IMAP User	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046, value_name = HTTPMail User Name	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046, value_name = HTTPMail Server	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046, value_name = SMTP User	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046, value_name = POP3 Password2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046, value_name = IMAP Password2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046, value_name = NNTP Password2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046, value_name = HTTPMail Password2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046, value_name = SMTP Password2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046, value_name = POP3 Password	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046, value_name = IMAP Password	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046, value_name = NNTP Password	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046, value_name = HTTP Password	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046, value_name = SMTP Password	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046, value_name = POP3 Port, data = 0, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046, value_name = SMTP Port, data = 0, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046, value_name = IMAP Port, data = 0, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2, value_name = SMTP Email Address	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2, value_name = SMTP Server	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2, value_name = POP3 Server	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2, value_name = POP3 User Name	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2, value_name = SMTP User Name	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2, value_name = NNTP Email Address	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2, value_name = NNTP User Name	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2, value_name = NNTP Server	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2, value_name = IMAP Server	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2, value_name = IMAP User Name	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2, value_name = Email	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2, value_name = HTTP User	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2, value_name = HTTP Server URL	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2, value_name = POP3 User	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2, value_name = IMAP User	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2, value_name = HTTPMail User Name	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2, value_name = HTTPMail Server	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2, value_name = SMTP User	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2, value_name = POP3 Password2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2, value_name = IMAP Password2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2, value_name = NNTP Password2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2, value_name = HTTPMail Password2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2, value_name = SMTP Password2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2, value_name = POP3 Password	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2, value_name = IMAP Password	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2, value_name = NNTP Password	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2, value_name = HTTP Password	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2, value_name = SMTP Password	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2, value_name = POP3 Port, data = 0, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2, value_name = SMTP Port, data = 0, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2, value_name = IMAP Port, data = 0, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2, value_name = SMTP Email Address	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2, value_name = SMTP Server	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2, value_name = POP3 Server	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2, value_name = POP3 User Name	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2, value_name = SMTP User Name	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2, value_name = NNTP Email Address	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2, value_name = NNTP User Name	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2, value_name = NNTP Server	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2, value_name = IMAP Server	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2, value_name = IMAP User Name	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2, value_name = Email	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2, value_name = HTTP User	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2, value_name = HTTP Server URL	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2, value_name = POP3 User	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2, value_name = IMAP User	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2	1	Fn
For performance reasons, the remaining 1074 entries are omitted. The remaining entries can be found in glog.xml.

Thread 0xa3c

Category	Operation	Information	Count	Logfile
Module	Load	module_name = SHELL32.dll, base_address = 0x7ffb46890000	1	Fn
Module	Get Address	module_name = Unknown module name, function = SHGetFolderPathW, address_out = 0x7ffb46970080	1	Fn
Module	Get Address	module_name = Unknown module name, function = PathCombineW, address_out = 0x7ffb4625d130	1	Fn
Module	Get Address	module_name = Unknown module name, function = PathMatchSpecW, address_out = 0x7ffb46264990	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\Documents\Outlook Files\lcfkj@kiekc.df.pst, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = C:\Users\CIiHmnxMn6Ps\Documents\Outlook Files\lcfkj@kiekc.df.pst, size = 4, size_out = 4	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\Documents\Outlook Files\lcfkj@kiekc.df.pst, size = 1, size_out = 1	2	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\Documents\Outlook Files\lcfkj@kiekc.df.pst, size = 8, size_out = 8	5	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\Documents\Outlook Files\lcfkj@kiekc.df.pst, size = 512, size_out = 512	16	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\Documents\Outlook Files\lcfkj@kiekc.df.pst, size = 3156, size_out = 3156	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\Documents\Outlook Files\lcfkj@kiekc.df.pst, size = 448, size_out = 448	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\Documents\Outlook Files\lcfkj@kiekc.df.pst, size = 140, size_out = 140	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\Documents\Outlook Files\lcfkj@kiekc.df.pst, size = 566, size_out = 566	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\Documents\Outlook Files\lcfkj@kiekc.df.pst, size = 450, size_out = 450	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\Documents\Outlook Files\lcfkj@kiekc.df.pst, size = 562, size_out = 562	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\Documents\Outlook Files\lcfkj@kiekc.df.pst, size = 458, size_out = 458	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\Documents\Outlook Files\lcfkj@kiekc.df.pst, size = 594, size_out = 594	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\Documents\Outlook Files\lcfkj@kiekc.df.pst, size = 112, size_out = 112	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\Documents\Outlook Files\lcfkj@kiekc.df.pst, size = 128, size_out = 128	2	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\Documents\Outlook Files\lcfkj@kiekc.df.pst, size = 846, size_out = 846	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\Documents\Outlook Files\lcfkj@kiekc.df.pst, size = 724, size_out = 724	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\Documents\Outlook Files\lcfkj@kiekc.df.pst, size = 902, size_out = 902	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\Documents\Outlook Files\lcfkj@kiekc.df.pst, size = 120, size_out = 120	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\Documents\Outlook Files\lcfkj@kiekc.df.pst, size = 118, size_out = 118	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\Documents\Outlook Files\lcfkj@kiekc.df.pst, size = 120, size_out = 120	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\Documents\Outlook Files\lcfkj@kiekc.df.pst, size = 108, size_out = 108	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\Documents\Outlook Files\lcfkj@kiekc.df.pst, size = 110, size_out = 110	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\Documents\Outlook Files\lcfkj@kiekc.df.pst, size = 148, size_out = 148	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\Documents\Outlook Files\lcfkj@kiekc.df.pst, size = 180, size_out = 180	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\Documents\Outlook Files\lcfkj@kiekc.df.pst, size = 162, size_out = 162	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\Documents\Outlook Files\lcfkj@kiekc.df.pst, size = 118, size_out = 118	1	Fn Data
Module	Get Address	module_name = Unknown module name, function = CoUninitialize, address_out = 0x7ffb46682380	1	Fn

Thread 0x2dc

Category	Operation	Information	Count	Logfile
System	Get Time	type = Ticks, time = 103421	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
Module	Get Address	module_name = Unknown module name, function = PathFindExtensionA, address_out = 0x7ffb46264800	1	Fn
Process	Create	process_name = cmd /C "systeminfo.exe > C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin1", os_pid = 0x560, creation_flags = CREATE_DEFAULT_ERROR_MODE, CREATE_NO_WINDOW, show_window = SW_HIDE	1	Fn
System	Sleep	duration = -1 (infinite)	1	Fn
Process	Create	process_name = cmd /C "echo -------- >> C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin1", os_pid = 0x8f4, creation_flags = CREATE_DEFAULT_ERROR_MODE, CREATE_NO_WINDOW, show_window = SW_HIDE	1	Fn
System	Sleep	duration = -1 (infinite)	1	Fn
Process	Create	process_name = cmd /C "net view >> C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin1", os_pid = 0x428, creation_flags = CREATE_DEFAULT_ERROR_MODE, CREATE_NO_WINDOW, show_window = SW_HIDE	1	Fn
System	Sleep	duration = -1 (infinite)	1	Fn
Process	Create	process_name = cmd /C "echo -------- >> C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin1", os_pid = 0x200, creation_flags = CREATE_DEFAULT_ERROR_MODE, CREATE_NO_WINDOW, show_window = SW_HIDE	1	Fn
System	Sleep	duration = -1 (infinite)	1	Fn
Process	Create	process_name = cmd /C "nslookup 127.0.0.1 >> C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin1", os_pid = 0x8cc, creation_flags = CREATE_DEFAULT_ERROR_MODE, CREATE_NO_WINDOW, show_window = SW_HIDE	1	Fn
System	Sleep	duration = -1 (infinite)	1	Fn
Process	Create	process_name = cmd /C "echo -------- >> C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin1", os_pid = 0x274, creation_flags = CREATE_DEFAULT_ERROR_MODE, CREATE_NO_WINDOW, show_window = SW_HIDE	1	Fn
System	Sleep	duration = -1 (infinite)	1	Fn
Process	Create	process_name = cmd /C "tasklist.exe /SVC >> C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin1", os_pid = 0xb18, creation_flags = CREATE_DEFAULT_ERROR_MODE, CREATE_NO_WINDOW, show_window = SW_HIDE	1	Fn
System	Sleep	duration = -1 (infinite)	1	Fn
Process	Create	process_name = cmd /C "echo -------- >> C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin1", os_pid = 0xbbc, creation_flags = CREATE_DEFAULT_ERROR_MODE, CREATE_NO_WINDOW, show_window = SW_HIDE	1	Fn
System	Sleep	duration = -1 (infinite)	1	Fn
Process	Create	process_name = cmd /C "driverquery.exe >> C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin1", os_pid = 0xb00, creation_flags = CREATE_DEFAULT_ERROR_MODE, CREATE_NO_WINDOW, show_window = SW_HIDE	1	Fn
System	Sleep	duration = -1 (infinite)	1	Fn
Process	Create	process_name = cmd /C "echo -------- >> C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin1", os_pid = 0x8c0, creation_flags = CREATE_DEFAULT_ERROR_MODE, CREATE_NO_WINDOW, show_window = SW_HIDE	1	Fn
System	Sleep	duration = -1 (infinite)	1	Fn
Process	Create	process_name = cmd /C "reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s >> C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin1", os_pid = 0xb6c, creation_flags = CREATE_DEFAULT_ERROR_MODE, CREATE_NO_WINDOW, show_window = SW_HIDE	1	Fn
System	Sleep	duration = -1 (infinite)	1	Fn
Process	Create	process_name = cmd /C "echo -------- >> C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin1", os_pid = 0x8ec, creation_flags = CREATE_DEFAULT_ERROR_MODE, CREATE_NO_WINDOW, show_window = SW_HIDE	1	Fn
System	Sleep	duration = -1 (infinite)	1	Fn
Process	Create	process_name = cmd /U /C "type C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin1 > C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin & del C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin1", os_pid = 0x3ac, creation_flags = CREATE_DEFAULT_ERROR_MODE, CREATE_NO_WINDOW, show_window = SW_HIDE	1	Fn
System	Sleep	duration = -1 (infinite)	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin, type = size	1	Fn
File	Read	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin, size = 98824, size_out = 98824	1	Fn Data
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin, size = 49412	1	Fn Data
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin, type = file_attributes	1	Fn
System	Get Time	type = Ticks, time = 135703	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\D969.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin, type = file_attributes	1	Fn
System	Get Time	type = Ticks, time = 135703	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\D0C5.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\D0C5.bin, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\D0C5.bin, size = 80	1	Fn Data
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\D0C5.bin, size = 30	1	Fn Data
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin, type = file_attributes	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\D0C5.bin, size = 49	1	Fn Data
Process	Create	process_name = makecab.exe /F "C:\Users\CIIHMN~1\AppData\Local\Temp\D0C5.bin", os_pid = 0xa4c, creation_flags = CREATE_DEFAULT_ERROR_MODE, CREATE_NO_WINDOW, show_window = SW_HIDE	1	Fn
System	Sleep	duration = -1 (infinite)	1	Fn
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\setup.inf	1	Fn
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\setup.rpt	1	Fn
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\D0C5.bin	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\D969.bin, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\D969.bin, type = size	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530\Files	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530\Files, value_name = 8583E37508A8504006, size = 92, type = REG_BINARY	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin	1	Fn

Thread 0x540

789

Category	Operation	Information	Count	Logfile
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\History\desktop.ini	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\History\History.IE5\container.dat	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012018102520181026\container.dat	1	Fn
File	Delete Directory	directory = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012018102520181026	1	Fn
File	Delete Directory	directory = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\History\History.IE5	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\History\Low\History.IE5\container.dat	1	Fn
File	Delete Directory	directory = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\History\Low\History.IE5	1	Fn
File	Delete Directory	directory = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\History\Low	1	Fn
Module	Get Address	module_name = Unknown module name, function = StrRChrW, address_out = 0x7ffb4625dd80	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ff	1	Fn
Module	Get Address	module_name = Unknown module name, function = StrChrW, address_out = 0x7ffb4625a2a0	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ff\	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ff\\8i341t8m.default	1	Fn
File	Copy	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\cookies.sqlite, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ff\\8i341t8m.default\cookies.sqlite	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\cookies.sqlite	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\sols	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\sols\macromedia.com	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\sols\macromedia.com\support	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\sols\macromedia.com\support\flashplayer	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\sols\macromedia.com\support\flashplayer\sys	1	Fn
File	Copy	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sol, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\sols\macromedia.com\support\flashplayer\sys\settings.sol	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sol	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie	1	Fn
File	Copy	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\2XBM2EDN.txt, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\2XBM2EDN.txt	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\2XBM2EDN.txt	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie	1	Fn
File	Copy	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\8489XH4E.txt, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\8489XH4E.txt	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\8489XH4E.txt	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie	1	Fn
File	Copy	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\B4K109K7.txt, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\B4K109K7.txt	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\B4K109K7.txt	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie	1	Fn
File	Copy	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\B67M68H4.txt, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\B67M68H4.txt	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\B67M68H4.txt	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie	1	Fn
File	Copy	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\OOUVZSZN.txt, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\OOUVZSZN.txt	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\OOUVZSZN.txt	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie	1	Fn
File	Copy	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\TIGZFGLM.txt, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\TIGZFGLM.txt	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\TIGZFGLM.txt	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie	1	Fn
File	Copy	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\XNW1G0SM.txt, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\XNW1G0SM.txt	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\XNW1G0SM.txt	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\0GHTMU6X.txt, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\0GHTMU6X.txt	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\0GHTMU6X.txt	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\0MDKR34W.txt, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\0MDKR34W.txt	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\0MDKR34W.txt	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\0Z1JIEVI.txt, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\0Z1JIEVI.txt	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\0Z1JIEVI.txt	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\16DOE15M.txt, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\16DOE15M.txt	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\16DOE15M.txt	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\16Y0X4V7.txt, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\16Y0X4V7.txt	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\16Y0X4V7.txt	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\1L3KU69N.txt, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\1L3KU69N.txt	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\1L3KU69N.txt	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\1LFQZEOH.txt, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\1LFQZEOH.txt	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\1LFQZEOH.txt	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\1LLUY7B7.txt, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\1LLUY7B7.txt	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\1LLUY7B7.txt	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\1UYN2RFY.txt, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\1UYN2RFY.txt	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\1UYN2RFY.txt	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\23JC2UTD.txt, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\23JC2UTD.txt	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\23JC2UTD.txt	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\2EQ4E2OJ.txt, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\2EQ4E2OJ.txt	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\2EQ4E2OJ.txt	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\2HYILE1O.txt, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\2HYILE1O.txt	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\2HYILE1O.txt	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\3RW4K76X.txt, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\3RW4K76X.txt	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\3RW4K76X.txt	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\3VVSZ2CO.txt, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\3VVSZ2CO.txt	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\3VVSZ2CO.txt	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\4MN240WN.txt, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\4MN240WN.txt	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\4MN240WN.txt	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\4O6583I0.txt, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\4O6583I0.txt	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\4O6583I0.txt	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\4YWCPPXN.txt, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\4YWCPPXN.txt	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\4YWCPPXN.txt	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\4Z6UDYLY.txt, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\4Z6UDYLY.txt	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\4Z6UDYLY.txt	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\5AFMRGRY.txt, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\5AFMRGRY.txt	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\5AFMRGRY.txt	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\5ARQYMIV.txt, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\5ARQYMIV.txt	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\5ARQYMIV.txt	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\5AV8L20N.txt, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\5AV8L20N.txt	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\5AV8L20N.txt	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\5NWXN3UI.txt, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\5NWXN3UI.txt	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\5NWXN3UI.txt	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\5STJ6NZL.txt, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\5STJ6NZL.txt	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\5STJ6NZL.txt	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\5TAY54V0.txt, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\5TAY54V0.txt	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\5TAY54V0.txt	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\5WQEGNKI.txt, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\5WQEGNKI.txt	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\5WQEGNKI.txt	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\66I0OJL8.txt, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\66I0OJL8.txt	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\66I0OJL8.txt	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\80J4IH0Y.txt, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\80J4IH0Y.txt	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\80J4IH0Y.txt	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\8FFCGS26.txt, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\8FFCGS26.txt	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\8FFCGS26.txt	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\9ABR37NL.txt, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\9ABR37NL.txt	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\9ABR37NL.txt	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\9IJPMFHZ.txt, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\9IJPMFHZ.txt	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\9IJPMFHZ.txt	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\9M7ZHW1Q.txt, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\9M7ZHW1Q.txt	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\9M7ZHW1Q.txt	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\9XACNSYG.txt, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\9XACNSYG.txt	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\9XACNSYG.txt	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\9Z1Y5ICI.txt, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\9Z1Y5ICI.txt	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\9Z1Y5ICI.txt	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\A0RK8A2H.txt, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\A0RK8A2H.txt	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\A0RK8A2H.txt	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\AA2IJ7JU.txt, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\AA2IJ7JU.txt	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\AA2IJ7JU.txt	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\B427TFXJ.txt, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\B427TFXJ.txt	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\B427TFXJ.txt	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\BK4HNAZ1.txt, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\BK4HNAZ1.txt	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\BK4HNAZ1.txt	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\CC7DS78R.txt, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\CC7DS78R.txt	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\CC7DS78R.txt	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\CDGOWO27.txt, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\CDGOWO27.txt	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\CDGOWO27.txt	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\CYHYO8JD.txt, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\CYHYO8JD.txt	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\CYHYO8JD.txt	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\D9QO3KHK.txt, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\D9QO3KHK.txt	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\D9QO3KHK.txt	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\DN8YUCVA.txt, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\DN8YUCVA.txt	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\DN8YUCVA.txt	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\DQI7WAG8.txt, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\DQI7WAG8.txt	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\DQI7WAG8.txt	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\DRDF2EZX.txt, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\DRDF2EZX.txt	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\DRDF2EZX.txt	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\E2KPI4ZI.txt, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\E2KPI4ZI.txt	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\E2KPI4ZI.txt	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\E978TFRK.txt, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\E978TFRK.txt	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\E978TFRK.txt	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\F68MFAMN.txt, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\F68MFAMN.txt	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\F68MFAMN.txt	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\FCGXHIFT.txt, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\FCGXHIFT.txt	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\FCGXHIFT.txt	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\FGTTES1V.txt, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\FGTTES1V.txt	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\FGTTES1V.txt	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\FLTMVY1F.txt, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\FLTMVY1F.txt	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\FLTMVY1F.txt	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\FOLSAQT6.txt, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\FOLSAQT6.txt	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\FOLSAQT6.txt	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\GXB342YS.txt, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\GXB342YS.txt	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\GXB342YS.txt	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\H5LCJX1B.txt, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\H5LCJX1B.txt	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\H5LCJX1B.txt	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\HBPP9XXY.txt, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\HBPP9XXY.txt	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\HBPP9XXY.txt	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\HF8F6LU0.txt, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\HF8F6LU0.txt	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\HF8F6LU0.txt	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\HTVL5WIW.txt, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\HTVL5WIW.txt	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\HTVL5WIW.txt	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\ILF13HLB.txt, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\ILF13HLB.txt	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\ILF13HLB.txt	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\ISTFXHHR.txt, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\ISTFXHHR.txt	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\ISTFXHHR.txt	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\ITD4OUAR.txt, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\ITD4OUAR.txt	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\ITD4OUAR.txt	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\J4JSQG9R.txt, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\J4JSQG9R.txt	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\J4JSQG9R.txt	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\JQOCYKOH.txt, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\JQOCYKOH.txt	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\JQOCYKOH.txt	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\JWFWLAYR.txt, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\JWFWLAYR.txt	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\JWFWLAYR.txt	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\K8249Y1G.txt, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\K8249Y1G.txt	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\K8249Y1G.txt	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\KNJ4AJDH.txt, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\KNJ4AJDH.txt	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\KNJ4AJDH.txt	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\L78EW25D.txt, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\L78EW25D.txt	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\L78EW25D.txt	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\LC10XEWL.txt, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\LC10XEWL.txt	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\LC10XEWL.txt	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\LVARU12Y.txt, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\LVARU12Y.txt	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\LVARU12Y.txt	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\LY1NFEKN.txt, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\LY1NFEKN.txt	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\LY1NFEKN.txt	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\LY3FDU65.txt, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\LY3FDU65.txt	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\LY3FDU65.txt	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\M19117WZ.txt, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\M19117WZ.txt	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\M19117WZ.txt	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\MA5WDFBR.txt, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\MA5WDFBR.txt	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\MA5WDFBR.txt	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\MBJX4MYA.txt, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\MBJX4MYA.txt	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\MBJX4MYA.txt	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\MCAKE788.txt, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\MCAKE788.txt	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\MCAKE788.txt	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\MIL4MU1S.txt, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\MIL4MU1S.txt	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\MIL4MU1S.txt	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\MM8KB9U2.txt, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\MM8KB9U2.txt	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\MM8KB9U2.txt	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\MMPF10F4.txt, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\MMPF10F4.txt	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\MMPF10F4.txt	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\MOE7DCQU.txt, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\MOE7DCQU.txt	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\MOE7DCQU.txt	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\NEHE4KDB.txt, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\NEHE4KDB.txt	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\NEHE4KDB.txt	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\NOCAHPZ6.txt, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\NOCAHPZ6.txt	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\NOCAHPZ6.txt	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\NYCCG1AV.txt, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\NYCCG1AV.txt	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\NYCCG1AV.txt	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\O8FFFI2K.txt, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\O8FFFI2K.txt	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\O8FFFI2K.txt	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\P778SMC9.txt, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\P778SMC9.txt	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\P778SMC9.txt	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\PF9HBAFQ.txt, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\PF9HBAFQ.txt	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\PF9HBAFQ.txt	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\PK3I34UV.txt, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\PK3I34UV.txt	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\PK3I34UV.txt	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\QUMCK8L4.txt, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\QUMCK8L4.txt	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\QUMCK8L4.txt	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\RAYRHE6Z.txt, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\RAYRHE6Z.txt	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\RAYRHE6Z.txt	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\RQK5QF4L.txt, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\RQK5QF4L.txt	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\RQK5QF4L.txt	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\RTEPN67M.txt, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\RTEPN67M.txt	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\RTEPN67M.txt	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\RYK7X1K4.txt, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\RYK7X1K4.txt	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\RYK7X1K4.txt	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\S0EK69P5.txt, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\S0EK69P5.txt	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\S0EK69P5.txt	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\SEVCUJM3.txt, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\SEVCUJM3.txt	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\SEVCUJM3.txt	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\STGOZ493.txt, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\STGOZ493.txt	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\STGOZ493.txt	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\T1LCPPSA.txt, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\T1LCPPSA.txt	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\T1LCPPSA.txt	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\TCXQPY9L.txt, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\TCXQPY9L.txt	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\TCXQPY9L.txt	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\TEW946CI.txt, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\TEW946CI.txt	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\TEW946CI.txt	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\TFCJHLEI.txt, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\TFCJHLEI.txt	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\TFCJHLEI.txt	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\U2OYIS47.txt, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\U2OYIS47.txt	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\U2OYIS47.txt	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\U8FCPAKJ.txt, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\U8FCPAKJ.txt	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\U8FCPAKJ.txt	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\UBUPNOZC.txt, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\UBUPNOZC.txt	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\UBUPNOZC.txt	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\UBXQG39X.txt, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\UBXQG39X.txt	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\UBXQG39X.txt	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\UGL14QS0.txt, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\UGL14QS0.txt	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\UGL14QS0.txt	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\UUEVXDWP.txt, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\UUEVXDWP.txt	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\UUEVXDWP.txt	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\V7NNCJHO.txt, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\V7NNCJHO.txt	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\V7NNCJHO.txt	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\VD3GM2DA.txt, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\VD3GM2DA.txt	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\VD3GM2DA.txt	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\WPEXKTDV.txt, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\WPEXKTDV.txt	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\WPEXKTDV.txt	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\WUT8M1Q8.txt, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\WUT8M1Q8.txt	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\WUT8M1Q8.txt	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\WX75TEOR.txt, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\WX75TEOR.txt	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\WX75TEOR.txt	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\XRS5D0N2.txt, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\XRS5D0N2.txt	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\XRS5D0N2.txt	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\XUAUK5R0.txt, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\XUAUK5R0.txt	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\XUAUK5R0.txt	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\Y1I415YS.txt, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\Y1I415YS.txt	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\Y1I415YS.txt	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\Y3XU5OKR.txt, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\Y3XU5OKR.txt	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\Y3XU5OKR.txt	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\, type = file_attributes	1	Fn
File	Delete Directory	directory = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\chrome\idb\2918063365piupsah.files	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\chrome\idb\2918063365piupsah.sqlite	1	Fn
File	Delete Directory	directory = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\chrome\idb	1	Fn
File	Delete Directory	directory = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\chrome	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\moz-safe-about+home\idb\818200132aebmoouht.files\1	1	Fn
File	Delete Directory	directory = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\moz-safe-about+home\idb\818200132aebmoouht.files\journals	1	Fn
File	Delete Directory	directory = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\moz-safe-about+home\idb\818200132aebmoouht.files	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\moz-safe-about+home\idb\818200132aebmoouht.sqlite	1	Fn
File	Delete Directory	directory = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\moz-safe-about+home\idb	1	Fn
File	Delete Directory	directory = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\moz-safe-about+home	1	Fn
File	Delete Directory	directory = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\cookies.sqlite, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\, type = file_attributes	1	Fn
File	Delete Directory	directory = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\doomed	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\00230E843D3A08B230E933E226DB601D643BC852	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\00396519A728CAF55BA5985F2822E3CD29D0B17E	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\0070686314FCF810B3CEE062939E2805C4894837	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\01936D44B3D7F728EFEB4C28574EF44AB7260A17	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\01CC9F4D43A947CA6202BA62A7FFF28C6881C1BF	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\01D69525274B61DE5FF860EF9BDF5BEDBB7E52C6	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\023DB71E21A04D5A6CE60A1EC2C15A40BE00DD08	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\02556929CF2E7913AF6E896368676F9BEC324DF4	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\025E6C3190211A09D15D92E5656FB71220B7737E	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\0396D4FE028249B03B952ECAC5BDC2698D7AC41D	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\04407A80544B9CDDB0BF74A9C5090D338DED55E6	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\04825B72BD3FF3B25000EE8B3660F3E1748CF56D	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\04DDA15772BB1EBE40F174D3D0AD961AB0D85881	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\04E42D40E9FF818034B152EBBD5D2648E474B06E	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\053023C6ABE9799C7CBA3D16BB67C1B7F7B0D8A0	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\062AD3657B516BAF21B6D366104D405078541BA6	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\073B56D883E94B03370493A96DF99C2B51FB3E9D	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\0782E7F698BE212FDCB80D8DE2C97C611AE50DFF	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\085CFB45496B3087ABCB8ABD8529B3EB41D17C27	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\0A1144B8734850F5325AA6C259041EA8A201062C	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\0A774848D5BE9E32A6789642784FD4DAFCD580F5	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\0A9B36C9F5BCA2621C56BD4B714A9141238CF27D	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\0ADCF0E2A022CEDF8D199ED2889DB295128C4E25	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\0B55D23F82EE119DC0472267436CD5F2868E3B14	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\0BCD5C644E4A81783F24DB39416D1CE0CA0C3015	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\0CFEB549E537F8B2151A62BA069AE7A6D363BB90	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\0D1B36E62742C7776D68B1240296D02DFD6478FF	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\0D83D658A0C069047F6B9FD30BFDEDD80863B5F0	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\0E030AE41B2AB97664B455929A8A0721BA5D1F69	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\0E331C2EF53B5C952B79B038C00588087D45A128	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\0EC55DA246CC743C7EEA604EB85A206384B78D8F	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\0EDDF8C091E2FED62E44BEDDDC1723F5BF38FE4F	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\0EFA10E4516ACC80858411CA65A3CFF2B1AB347D	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\0FCD257674B1DEC53E0617114C11061F0395BE84	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\0FEE7E531224DDC68090378EA0DD267E4A43A052	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\10242BACB3A923DC9924A5B41FC879A31AF03963	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\102DC0B203B92AE5ADA25E34CEB5788226CA2769	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\102E001FB34D784FBF727701C7932E3FC58AF45D	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\108573E2B07FF25FFCAFE37F58D375561A47424D	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\116D5E76041E1DFC3004D30FEEB76351BB9D361F	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\1355867C7C8ACB52152CDC249B64D742CC40340D	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\1367E452AEFAA74CB544B69373FCCBB6C0E95AEB	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\1380A3F977C9CB8D60BD5A90243F6A04E42FAD04	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\13871F2088220BCD932D60C30C272709DEAABB04	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\1456D316BEE665C776E86DC63D0F546BA069BFBE	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\14786BE4B1040FAE49EABD0E2222B7EDCC6DF321	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\14926D90946B0F4BA2FCA38D75A5FBA83EF29AD0	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\14BF1B21A28D68D02D3CF7A0CA4D66159596ECD1	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\1531FBE50CE357526C558EE71AA60FC4D2E29E0C	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\15704E847DCFEC6E9A511A8897461209C820C052	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\15E4224DA48B83948028AEBE08751418DBDE4688	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\16103553C2544720A8768AAA60212BE5916A4CE9	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\16114BA75206B6FA4C51ADC8A73DB4C6635F6AF9	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\165A82B735DDDE6F05E29A770A52297EAE982902	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\16656B13E13FB159C452E606297943961E41BD83	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\167109A0C523F60F2197836B0BCDA9B52A4D16AE	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\170F54EDBE19BE8676CC69B53BAC08C8932D118A	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\1722A63DF48E38B5DC308AE741FBFA24F762D8AC	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\17FDE78A9ACA4445D5D13C94208BC4B0E4BA046A	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\1801CFE5BC39C5B24721E8CB2F32854EF5C5F96A	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\1833D74FE9FD5E002D12AD1D5CE9845C539E6D49	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\19B6A58F54F979D1CF008970B9B0D36B11B7944D	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\1A7C641FFE043BB811768257AF97546A0C7F3B55	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\1AA5AFB1639FED28192BC2781A550C89494CDF9A	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\1ADEB94741EA84BB04219DA402BBC420B5512A2A	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\1C7A6CE17940A6C75210FA60C52339417DEDEEFA	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\1C849477DE15B1F8F2245945F3F44468F58146DF	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\1D719B3EE2A34A4E2DC9D0A4EAE1DF7948EA5A46	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\1D8C7F5B73A4CD02E54F20A75B1FC29BE8E2EE8B	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\1D94118C6FBA173AC2CE7C335C3CB9B7365F1E90	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\1DBC56BBF48819D9CC9E96F72309A2D366DD1B72	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\1DCB6E830B5F6182674047BC07BE94E869A82DC1	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\1E4C1DE6D9BC3C738CB37D3D4E0CCCDBDD4EC3E7	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\1E654765DD4C0B7A97A94BA7430FF4F02539B4D4	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\1EB2E405E2B5AFF18DBD87BBFB385EED242A1AB5	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\1F03C5BEB6690C5E65013ADC12747A8FB0266E74	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\1F101A980B722E67F1FB3F0366EA9E520FB47D1B	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\1F58B2F46F6C2DE8FF822405AC18A18128D0BBBC	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\20343A86FB834223CC13D33560122837208F7563	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\209D12DF1554481FBDC90931601991A892F798E7	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\2118755562A693569EE2423CB1A2136CB8F1D9CC	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\212CB67D7B36A171AAF7F0B1E24E5ADC687ACDCF	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\2144C082C2AC8FA4FB4863D9D3BE7E335DD2C91D	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\21870284BD46D6F21E756FF12837E26AC55D301D	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\21B0E0F8C11507CB07A1BB82407F5AD646D80836	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\224A275AD09BE370F96D409F6AFE2904589080EC	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\225640F98EF31B52AB76CF756A5C3512E0BDE89B	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\22777C6913A6B4768EE40D5F0103A93D8B477C3C	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\22B072DE2E829A9BBDD29C6C1005CBE946651C89	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\22CA1C7BCD8AA6B0D991889ABE75C06CA1EBACD1	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\24073350A672357B47B2D1A937642146E80AA938	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\2445FA966A09E6B22679F2707AA980BBEBBC3BA8	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\245CEDA973B44C04325E8F3063F7596F9C88F120	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\2465113476A71563C2561E1A45DF343E04BFF787	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\24BE475A5C9CE3DA33684DFDEE6AC47BC9BA6DE6	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\24C5A11C7C55D609ED86B6E31E2C94301D075CB3	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\24F9514653FD834D9D33E21B4C0AECB308550A9A	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\2530EF3224B6681D2B34ED5DB0B170C716EB1E39	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\2587F851FECE6E69F3B26E54EDE4E02BD3C1D496	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\2598A1CBB2EA6DB15DFF6382E5B17F41B01B4F0E	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\25AFA0D28E7333EEE9F600A4A4F5B1C37A33789F	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\26686166E96A3EBDAC2ED90D8F9B4ECD22BBB577	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\26926D1CDB0298F2781D6FAD532518F7C8B787DA	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\26C8D0872DE7292BC9C7F54426A5E887557300EA	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\26D5902E65F2EC88B7E5ED33E815A3FDBE18E10F	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\270900E85767111BD4C54667E304A0B6656EA0A0	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\273736E26CFF7795BE550BE3B37B1D4598946999	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\28380882022BE365EDE32586CD158C635B9BE8D1	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\28D18C8667B2E4C79E3CE2766CF075BBFA55C129	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\28DAEEA417486B2D8FF609CC22C0244D45F802F7	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\291F29EF92755427DA03AB115BD92B68F34AB659	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\297135C089B3661F5AABB8E90985C6930164B685	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\2A650CB5032027B0EF79F4B9916C5D43EEFEDB3A	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\2A705BA174D08F119A903AD6AE391B16AE92D9FC	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\2AEEA30E1ABF20CE6EDCD6534789A8A96595E87A	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\2B662789DFDD9C1308FF8ECD48E05F393053163C	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\2C18FE48FBDBA136A5EC51C8B9D4382D2452C359	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\2C40C733B84018F500F4F551FC53305A5971F05F	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\2C5330B3725C70F20F4BC8A5385F696CC68B83C6	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\2C706476EF0944CD159653F65034A1071345205C	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\2CCFCBE257B8F5BE4FEAF68C08171DAF22AEED89	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\2D062CF6D6777E6BD7D9D53DBAB84CA6329C9727	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\2D693D07DD992FA2955C9EDE27FDA78487556E32	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\2D7DB1F2A5BBDE7DB3035CEA82134D2CF20D58AE	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\2E08CDAEE955A40889AC5877BE194C7EF12394A5	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\2E2D3BD78AAC7DD8EC8B5CA26C36A64A912EA68B	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\2E78209F2BD7068695BB80AAE0D3E5F19A372BCA	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\2EAFF2699FCEE0EDFEF4FF824C07727F657B0D45	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\2F0A7F5A4CF50FBAA8EC8FB9F3EBEF7461E5FA83	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\2FD2E2A71F89E3A92F68CB796207228217259289	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\2FEB6245AA212EA51F79468084964097925BD6D6	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\311C19847187CC20C5A8A21FA39C6639F5BBCF67	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\31220725946AC054F523C4029C40CA22A7A42621	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\31592C8B017CA0508B5F0339E7E1EA46376F2D31	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\317E80FB14217F5F6E8EAB3C4982A166EBEDBC9C	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\3194BBD824DE5F4E0F44B99C71BB6C700199B487	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\31F8F1DF56894B1D3F2180DB7128624160D6FD5E	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\3221C03D33E21E6F8B41DB86EB7B6527177AD6F9	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\32AFE38EED991EA004851E7C968397C7D9EA501C	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\32B6927A1EB46E83B230070265358A1C5B788D11	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\3313B622F3B9896C056CB0A1A534E4C91732E665	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\338233A5FF4B5082E562A4B5BFBCDB2581DE81E6	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\339A4E96E26DFFA4704F0AF081D2B85B12D03939	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\33A34037B96BD19CC90C0A382CEDF384EE052FCC	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\33B10E2C53E1205B7527185F086F1BD9A39B07CD	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\33E49DB212B852799023F439D16990005F93C4F7	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\33E659B30B4E594B210633855AC841A47BB4BBB9	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\346330431993BC995E9F9C114FE39FD5B54EB7DF	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\34CEF73D25CB0DE8A1CD86FB09EF24D17790BCA7	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\3502F57243FBD8F9D25E093A72D603074783A304	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\356FCE9F932692DC643481DBA1ABEA937B629F58	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\35933C361338037A97583E92DA61C299851A9B4E	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\36A422C04312727A6116F45E357EDA80B3B4A6FD	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\36C5C19636CA8995D6ADCD176668444451854326	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\36DBE72541419953BE4A8BD61964782F4DBEDECF	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\376ED25A1DE94F0D96E985E5D5CACFCFE3812131	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\37B0298825F693E093744779A7278E41F1419493	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\37B4BC98C8FDD6283BE80C5CC385582FEF5D6747	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\37BC32B4B7033C1AB388018EC734B639086C814E	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\383704E4BB07D527519A7352BA38B681C661FD8F	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\38819CF0EDDF28F6C7AE4A62EA2DC0E07EA71115	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\39CC8AA9054EC6244CA281EEA4BD937517E2861D	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\39D606C35C00ADA6E9320E1F6431E5A33EB42182	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\3A554E4EFCC1FAD19E963D27B9A2BF73C9664268	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\3A6C331288F156E9A07E3EA398F3A8FAF0530D8F	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\3B3EDC129FE6ED020C044AC637791DEC8B6B7603	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\3D896079491CA68DD9BB6DB7E612C8DC74463279	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\3DE1033D1165F9D849E6DFD8566ABB9179DB1D0F	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\3E42820479FADF666581B0704FA4AF901AE0E045	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\3EA580E2FD537915B7084615630F0189274B1F60	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\3FAECD8F44CECB41F5586C0DC333275FC173593A	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\3FB6DE7747DC1B658385638D277CF2D620D232E4	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\400E86363026A9AC2DCD2221C145C6370E3E8EDA	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\4030DFFE47D5B75257AA7A8C0A26B737E2F00FF3	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\40645D76E586E360D63982B2D4525920F0CF3060	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\406839CA18775158E58D75B2837624917D7E685C	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\407EB4DE353DE3AD4E1A29F0E0E84F65C2CE6E3A	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\41367369B0154D1D2566CC216318C71115E089A2	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\4238786CB87B503754EE13346F30AE3FCE28174F	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\425AB3A135AC92C5F7A29092F686A777B30A8C0A	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\42C23BB7242DFE074931A302B5BEB9B1D73B0BA5	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\431BDCA04B51BE586DFCF48431166463879B3DBF	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\434A5C8B5D0BEF67CEEB6076803A286CAE99C8C9	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\43686105AC844B29A19E4AD788A5ABBD2714FC75	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\438AB448ED7FB7D99CB7CFAB433F9E19A475D0EF	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\43A641B524487AFDAC7A8AF548EE196228BF6EAE	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\44437BAE601C72F5ED96953EAE92C527D4C2D46F	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\4453CB40F54977CDF96034A3A658080FDA7E43FA	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\445E695F447CA967C4DAE00C80034130290F80EA	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\45A759AC8024EF1FCC5ECA005CEB9C4A4F78984E	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\45C64E5C2E9809667C5FC9F06FC42641326DF768	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\4613B437E86D18E98F830433A5E6F7F9ABAF3693	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\467A961D019F23E5AF0F0266CD78A5F3D3290E5B	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\489059ED134C75D04357FD895C6280E1F7978C59	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\48D18A403364708B74676D0C5068809EE47BCF43	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\491836973BD7F16266314A8709EF00934A1BFCA0	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\491FFC0D1E910DC1DB3107E7DA730B43A97010A0	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\4A46AC76F0CCC4293CC380999116F3B7911F85BE	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\4B18B5ADA8BF2E475961694931BE215AED8ECBD5	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\4B2A0DFA12FEADFF375261309F704B43534BEE37	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\4BB6AC032612F432B6B5DA43EE2DAA6A8A03B6F4	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\4C7EAEF07520B2C9900CFE06971368FF939AA197	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\4CAD791F9C35BB747A46BAC7BE30A1E3BC028262	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\4CF1AED5BBD3500653D8E2D1ACE09C58CF2D6182	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\4DCE88D30F65C9460CC26665BC0A65F3234FA3D4	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\4DEBFBF420A31CFDD61418B1BE3ADB580389730E	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\4EFB15999EE57EDBFAADF69D6A31D8C6F90FE8DC	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\4F0C54EEF677196E2899E5E79B4F3A906E46F926	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\4F21DDD23480F1D4FBA13115BADB18B9AD18D8B1	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\4F372C9418B79051ABED288900CDF3D20C12F38C	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\4F680E68B8C682B5D2540FA7BE7B7F0D7521D9C9	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\4F78D1F2D9B48D34C6259CF59FD5E171B97EFB3A	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\4FC872C4A3A8739207D005A676C19DAB518FA53B	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\514D7C625328106E43CEC7FD7CF71AEDA0A3101F	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\522FF036651FEA29F227BFB14BD934175DDBA62A	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\5289F8C4AB5388DE2FCD562674EDF6674FB6DD30	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\529CD0D4C166C4989BAABA7E5FF50F75FB1D22D3	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\52ECE00B624C0C246123D20C46C3EE4F390A42FE	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\539C21F72CC831D883A265394E7125EFC208B096	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\53DAE4B1D7BFF6744CCAF7207DE631267F9883DC	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\53E9CAA90A10C82CF9C2D5393B332D17B263105E	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\54BF6D9D46D035228AC887ABC41B451F2BA38C02	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\5588A68FFECF7B388E18C33727BF06B30B837DF1	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\559737B84286037BF56FE9E46C53581FB6FF6751	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\56945BFE2B00EED1BE4F7B1F389030A0AF203742	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\56B48B214C8C7AC2CE81EFC4F92C4550FB675AE9	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\56C1D667A6AFD5406F830882D54923461E079C1B	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\5740B2DD533A74C3D20DD1D045CF7090D3BFB1AC	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\577655B6F15A0EEA0864C0703652DE24C091B634	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\5781F439935B6472D7D312E75A3B766C3E30CF60	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\579EC9227C4A988DCC4894D82AA161957107515D	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\57E662573FD9E42D3972BE92D3DF0557C7B2E836	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\57FB9388D9B054D289CC913E797B5C5217B6A217	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\58A845FD76589B14EF62BB6CFEA62DB0C7CCFBBE	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\58BFE77FA719F36CE48D4A317C753C845C38FE29	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\59248032DB55D8A9E0296A51BC66F3DEA6028EA5	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\592BC6129BB410343931D35AFB0FE270C66E58F0	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\59BB52B352DE6D0ED5D0376B33855D43CA80B3F7	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\59D05F1B38666C8EF68BDEE20A28647F754464F6	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\5A39FCB4CCAE4A6C76307026D7C882B4AE85B1F9	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\5A6EEC1674DA4669A4FF612E7924A91FBF501426	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\5AF1F43361120818C2E543605F5DF938574B1EDC	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\5B1B55B57E2440A52DE3FED7E02C83E04A78B0FD	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\5B928BD544BA66929A709C6AEC9D5968DCB905A1	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\5BDDE6C7804D11CE399AF314C3D33E47FBAE7C88	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\5C30F12D68A505E4AE0A6A3D896A1EC9C549AE96	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\5D3D330EFBD2B9CD6EB45919D9403F605414EFA5	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\Cache\, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\, type = file_attributes	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\data_0	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\data_1	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\data_2	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\data_3	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000001	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000002	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000003	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000004	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000005	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000006	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000007	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000008	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000009	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00000a	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00000b	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00000c	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00000d	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00000e	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00000f	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000010	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000011	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000012	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000013	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000014	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000015	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000016	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000017	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000018	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00001a	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00001b	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00001c	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00001d	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00001e	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00001f	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\index	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cookies, type = file_attributes	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cookies	1	Fn

Thread 0xbbc

Category	Operation	Information	Count	Logfile
Module	Get Address	module_name = Unknown module name, function = 92, address_out = 0x7ffb46ab1c90	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Roaming\MICROS~1\{25E2F~1, type = file_attributes	1	Fn
Module	Get Address	module_name = Unknown module name, function = PathIsDirectoryEmptyA, address_out = 0x7ffb46266840	1	Fn
System	Get Time	type = Ticks, time = 106031	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\6581.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Roaming\MICROS~1\{25E2F~1, type = file_attributes	1	Fn
System	Get Time	type = Ticks, time = 106031	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\5CDD.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\5CDD.bin, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\5CDD.bin, size = 80	1	Fn Data
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\5CDD.bin, size = 30	1	Fn Data
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Roaming\MICROS~1\{25E2F~1, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Roaming\MICROS~1\{25E2F~1\01D46BD24DAB98E809, type = file_attributes	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\5CDD.bin, size = 24	1	Fn Data
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\5CDD.bin, size = 22	1	Fn Data
Process	Create	process_name = makecab.exe /F "C:\Users\CIIHMN~1\AppData\Local\Temp\5CDD.bin", os_pid = 0x848, creation_flags = CREATE_DEFAULT_ERROR_MODE, CREATE_NO_WINDOW, show_window = SW_HIDE	1	Fn
System	Sleep	duration = -1 (infinite)	1	Fn
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Roaming\MICROS~1\{25E2F~1\setup.inf	1	Fn
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Roaming\MICROS~1\{25E2F~1\setup.rpt	1	Fn
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\5CDD.bin	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\6581.bin, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\6581.bin, type = size	1	Fn
Module	Get Address	module_name = Unknown module name, function = CoCreateGuid, address_out = 0x7ffb46682340	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530\Files	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530\Files, value_name = 2B1905BE3AD836430F, size = 92, type = REG_BINARY	1	Fn Data
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{25E2F79F-402D-9FBF-7229-7443C66DE827}\01D46BD24DAB98E809	1	Fn

Thread 0x44c

Category	Operation	Information	Count	Logfile
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace, value_name = ValidateRegItems	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace, value_name = MonitorRegistry, data = 1	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace, value_name = ValidateRegItems	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace, value_name = MonitorRegistry	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace, value_name = ValidateRegItems	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace, value_name = MonitorRegistry	1	Fn

Thread 0x618

Category	Operation	Information	Count	Logfile
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace, value_name = ValidateRegItems	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace, value_name = MonitorRegistry, data = 1	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace, value_name = ValidateRegItems	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace, value_name = MonitorRegistry	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace, value_name = ValidateRegItems	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace, value_name = MonitorRegistry	1	Fn

Thread 0x4b8

Category	Operation	Information	Count	Logfile
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace, value_name = ValidateRegItems	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace, value_name = MonitorRegistry, data = 1	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace, value_name = ValidateRegItems	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace, value_name = MonitorRegistry	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace, value_name = ValidateRegItems	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace, value_name = MonitorRegistry	1	Fn

Thread 0x84

Category	Operation	Information	Count	Logfile
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace, value_name = ValidateRegItems	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace, value_name = MonitorRegistry, data = 1	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace, value_name = ValidateRegItems	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace, value_name = MonitorRegistry	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace, value_name = ValidateRegItems	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace, value_name = MonitorRegistry	1	Fn

Thread 0x7c8

Category	Operation	Information	Count	Logfile
Registry	Read Value	reg_name = TreatAs, type = REG_NONE	1	Fn
Registry	Read Value	data = 0	1	Fn
Registry	Read Value	data = PSFactoryBuffer	1	Fn
Registry	Read Value	value_name = InprocServer32	1	Fn
Registry	Read Value	data = 0	1	Fn
Registry	Read Value	data = C:\Windows\System32\npmproxy.dll	1	Fn
Registry	Read Value	value_name = ThreadingModel, data = Both	1	Fn
Registry	Read Value	reg_name = InprocHandler32	1	Fn
Registry	Read Value	reg_name = InprocHandler	1	Fn

Process #9: cmd.exe

Information	Value
ID	#9
File Name	c:\windows\system32\cmd.exe
Command Line	cmd /C "systeminfo.exe > C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin1"
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:03:10, Reason: Child Process
Unmonitor	End Time: 00:03:20, Reason: Self Terminated
Monitor Duration	00:00:10

OS Process Information

Information	Value
PID	0x560
Parent PID	0x824 (c:\windows\explorer.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 4D4 0x BE4

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	r	-
private_0x000000ee54970000	0xee54970000	0xee5498ffff	Private Memory	rw	-
pagefile_0x000000ee54970000	0xee54970000	0xee5497ffff	Pagefile Backed Memory	rw	-
private_0x000000ee54980000	0xee54980000	0xee54986fff	Private Memory	rw	-
pagefile_0x000000ee54990000	0xee54990000	0xee549a3fff	Pagefile Backed Memory	r	-
private_0x000000ee549b0000	0xee549b0000	0xee54aaffff	Private Memory	rw	-
pagefile_0x000000ee54ab0000	0xee54ab0000	0xee54ab3fff	Pagefile Backed Memory	r	-
pagefile_0x000000ee54ac0000	0xee54ac0000	0xee54ac0fff	Pagefile Backed Memory	r	-
private_0x000000ee54ad0000	0xee54ad0000	0xee54ad1fff	Private Memory	rw	-
locale.nls	0xee54ae0000	0xee54b9dfff	Memory Mapped File	r	-
private_0x000000ee54ba0000	0xee54ba0000	0xee54ba6fff	Private Memory	rw	-
private_0x000000ee54bf0000	0xee54bf0000	0xee54ceffff	Private Memory	rw	-
private_0x000000ee54cf0000	0xee54cf0000	0xee54deffff	Private Memory	rw	-
private_0x000000ee54fc0000	0xee54fc0000	0xee54fcffff	Private Memory	rw	-
sortdefault.nls	0xee54fd0000	0xee55306fff	Memory Mapped File	r	-
pagefile_0x00007df5ff400000	0x7df5ff400000	0x7ff5ff3fffff	Pagefile Backed Memory	-	-
pagefile_0x00007ff7b4520000	0x7ff7b4520000	0x7ff7b461ffff	Pagefile Backed Memory	r	-
pagefile_0x00007ff7b4620000	0x7ff7b4620000	0x7ff7b4642fff	Pagefile Backed Memory	r	-
private_0x00007ff7b4648000	0x7ff7b4648000	0x7ff7b4648fff	Private Memory	rw	-
private_0x00007ff7b464c000	0x7ff7b464c000	0x7ff7b464dfff	Private Memory	rw	-
private_0x00007ff7b464e000	0x7ff7b464e000	0x7ff7b464ffff	Private Memory	rw	-
cmd.exe	0x7ff7b50b0000	0x7ff7b5108fff	Memory Mapped File	rwx	-
kernelbase.dll	0x7ffb45670000	0x7ffb4584cfff	Memory Mapped File	rwx	-
kernel32.dll	0x7ffb45e10000	0x7ffb45ebcfff	Memory Mapped File	rwx	-
msvcrt.dll	0x7ffb48000000	0x7ffb4809cfff	Memory Mapped File	rwx	-
ntdll.dll	0x7ffb48180000	0x7ffb48341fff	Memory Mapped File	rwx	-

Created Files

Filename	File Size	Hash Values	Actions
C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin1	2.19 KB	MD5: 95164cb94e0099ebaf8204d2fac24e03 SHA1: 4e3c1c9677fd5b27558a8676d7ee5714f67b6b66 SHA256: 387d3395acc1e9a09aa9bf916027c2f958e179eb7fa2b1f3c782f8d96c95b254 SSDeep: 48:wtjQxD3CK4PCX1iUkPGK/JIj3fG7XhygKYhkONYGqEMcCGEi6ZBM8wp:wtjQxDyVCX18Q3EKYeOmOEi6ZW8wp	... File Actions Show Properties Download
C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin1	2.07 KB	MD5: f243c5ee67a72535da0288e1ad957037 SHA1: bd57e1c69509bf3b6efb5526eb106862afacbbcd SHA256: 8ceb32a2d8f944f186ac649d757aed050da2f185d711a8ef72824e235a7ad8ed SSDeep: 48:wtjQxD3CK4PCX1iUkPGK/JIj3fG7XhygKYhkONYGqEMcCGEi6ZBM2:wtjQxDyVCX18Q3EKYeOmOEi6ZW2	... File Actions Show Properties Download
C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin1	2.18 KB	MD5: 4a14ffd074969f6ac4124cf8012d959e SHA1: cab42d68631919a0416fcd8db74294f40fd7f8f6 SHA256: ab0bc9d85b3ffd22b4f6edb5c00d74e7010c2ab1b4ddc620682ee247c4770912 SSDeep: 48:wtjQxD3CK4PCX1iUkPGK/JIj3fG7XhygKYhkONYGqEMcCGEi6ZBM8w0:wtjQxDyVCX18Q3EKYeOmOEi6ZW8w0	... File Actions Show Properties Download
C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin1	2.10 KB	MD5: 3feb4607b93a9597595957709d6b150d SHA1: ea963b0034aebc8d702b2d2ab33285b5001d703a SHA256: 34073063c4a2d54f0eeaccf8439788ed0cc203e197a90ceca77e4142619d2964 SSDeep: 48:wtjQxD3CK4PCX1iUkPGK/JIj3fG7XhygKYhkONYGqEMcCGEi6ZBMw:wtjQxDyVCX18Q3EKYeOmOEi6ZWw	... File Actions Show Properties Download
C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin1	5.76 KB	MD5: 5fcaaaa8ff4fa27e6980e193e143d7bd SHA1: 1230e8c8ae3eeb2fc25b495bf3557e7e3063e752 SHA256: e17cdba6561014e0a01d756d69c881ccbc9d7d67471eee08413185e04d2dfa89 SSDeep: 96:wtjQxDyVCX18Q3EKYeOmOEi6ZW8wxqoEd+kcUOKbbipRYmMkTQ28j1g3paigcv70:weEVy8IYeOmOL8yEd+kcUOKbbipRYmMn	... File Actions Show Properties Download
C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin1	2.08 KB	MD5: a233dd20e25ecb6c8aa47139078f4ec9 SHA1: 1988e5f2607a9842ffe55f40c20be19a65422fec SHA256: e2cc6a6c62d5d18487b3047a5ed8eb4725ea9dc94b29f3d566cc0959ce0f4784 SSDeep: 48:wtjQxD3CK4PCX1iUkPGK/JIj3fG7XhygKYhkONYGqEMcCGEi6ZBMT:wtjQxDyVCX18Q3EKYeOmOEi6ZWT	... File Actions Show Properties Download
C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin1	26.95 KB	MD5: c899c3bc51beac3ebb514e233930e5fa SHA1: a57182040b53432dd887d76bc73cced20e48f717 SHA256: b2852659a9d2fad2507c8dc7a9eba38c7ad04a9e1806f546242dbfb8e1c73935 SSDeep: 768:BaIDOhL5Ed+kcUOKbbi7Ym12MaiPz9jAnr/ESZtlA8YkF7vpGCKoWfvozY9Z86IX:Q1hlEd+kcUOYbi7x12MaiPz9jAr/ESZ1	... File Actions Show Properties Download
C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin1	48.25 KB	MD5: c892049fc102a30285e8b98aa4c6b1e5 SHA1: 6c619c97f5ef82c3d2f5623534fadded48a4648c SHA256: 90eb06e686edc493e6c9ca57b9b71897d27e904a8efafb6046154fff2c84f4c1 SSDeep: 1536:Q1hlEd+kcUOYbi7x12MaiPz9jAr/ESZtlA8YkFNfBYk2:QPqYk2	... File Actions Show Properties Download
C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin1	48.24 KB	MD5: 7b98a5c728f70583b66487c611d2b340 SHA1: 0fc33f6da9f866468fd2990ae0482a7c777c5462 SHA256: e293e56d0aef3aa369d6a89e0af90f6eb2cc89ca8a399a0e7252d08935b33d5e SSDeep: 1536:Q1hlEd+kcUOYbi7x12MaiPz9jAr/ESZtlA8YkFNfBYkJ:QPqYkJ	... File Actions Show Properties Download

Threads

Thread 0x4d4

Category	Operation	Information	Count	Logfile
Module	Get Handle	module_name = c:\windows\system32\cmd.exe, base_address = 0x7ff7b50b0000	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x7ffb45e10000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetThreadUILanguage, address_out = 0x7ffb45e2d550	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	3	Fn
File	Open	filename = STD_INPUT_HANDLE	2	Fn
Environment	Get Environment String	-	2	Fn Data
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data = 64, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 64, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data = 9, type = REG_NONE	1	Fn
Module	Get Filename	process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Environment	Get Environment String	name = PROMPT	1	Fn
Environment	Set Environment String	name = PROMPT, value = $P$G	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Get Environment String	name = COMSPEC, result_out = C:\Windows\system32\cmd.exe	1	Fn
Environment	Get Environment String	name = KEYS	1	Fn
File	Get Info	filename = C:\Windows\system32, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32, type = file_attributes	1	Fn
Environment	Set Environment String	name = =C:, value = C:\Windows\System32	1	Fn
Environment	Get Environment String	-	1	Fn Data
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x7ffb45e10000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CopyFileExW, address_out = 0x7ffb45e325e0	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = IsDebuggerPresent, address_out = 0x7ffb45e31f90	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetConsoleInputExeNameW, address_out = 0x7ffb456c3a10	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	3	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin1, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = systeminfo.exe, type = file_attributes	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Process	Create	process_name = C:\Windows\system32\systeminfo.exe, os_pid = 0xa90, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL	1	Fn
Environment	Set Environment String	name = COPYCMD	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Set Environment String	name = =ExitCode, value = 00000000	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Set Environment String	name = =ExitCodeAscii	1	Fn
Environment	Get Environment String	-	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn

Process #11: makecab.exe

Information	Value
ID	#11
File Name	c:\windows\system32\makecab.exe
Command Line	makecab.exe /F "C:\Users\CIIHMN~1\AppData\Local\Temp\5CDD.bin"
Initial Working Directory	C:\Users\CIIHMN~1\AppData\Roaming\MICROS~1\{25E2F~1\
Monitor	Start Time: 00:03:12, Reason: Child Process
Unmonitor	End Time: 00:03:16, Reason: Self Terminated
Monitor Duration	00:00:04

OS Process Information

Information	Value
PID	0x848
Parent PID	0x824 (c:\windows\explorer.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 6E4 0x BFC

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	r	-
private_0x000000f244970000	0xf244970000	0xf24498ffff	Private Memory	rw	-
pagefile_0x000000f244970000	0xf244970000	0xf24497ffff	Pagefile Backed Memory	rw	-
private_0x000000f244980000	0xf244980000	0xf244986fff	Private Memory	rw	-
pagefile_0x000000f244990000	0xf244990000	0xf2449a3fff	Pagefile Backed Memory	r	-
private_0x000000f2449b0000	0xf2449b0000	0xf244a2ffff	Private Memory	rw	-
pagefile_0x000000f244a30000	0xf244a30000	0xf244a33fff	Pagefile Backed Memory	r	-
pagefile_0x000000f244a40000	0xf244a40000	0xf244a41fff	Pagefile Backed Memory	r	-
private_0x000000f244a50000	0xf244a50000	0xf244a51fff	Private Memory	rw	-
private_0x000000f244a60000	0xf244a60000	0xf244a66fff	Private Memory	rw	-
private_0x000000f244a70000	0xf244a70000	0xf244a70fff	Private Memory	rw	-
private_0x000000f244a80000	0xf244a80000	0xf244a80fff	Private Memory	rw	-
tzres.dll	0xf244a90000	0xf244a92fff	Memory Mapped File	r	-
tzres.dll.mui	0xf244aa0000	0xf244aa8fff	Memory Mapped File	r	-
private_0x000000f244ab0000	0xf244ab0000	0xf244baffff	Private Memory	rw	-
locale.nls	0xf244bb0000	0xf244c6dfff	Memory Mapped File	r	-
private_0x000000f244c70000	0xf244c70000	0xf244ceffff	Private Memory	rw	-
private_0x000000f244d50000	0xf244d50000	0xf244d5ffff	Private Memory	rw	-
pagefile_0x000000f244d60000	0xf244d60000	0xf244ee7fff	Pagefile Backed Memory	r	-
pagefile_0x000000f244ef0000	0xf244ef0000	0xf245070fff	Pagefile Backed Memory	r	-
pagefile_0x000000f245080000	0xf245080000	0xf24647ffff	Pagefile Backed Memory	r	-
private_0x000000f246480000	0xf246480000	0xf24657ffff	Private Memory	rw	-
pagefile_0x00007df5ffc30000	0x7df5ffc30000	0x7ff5ffc2ffff	Pagefile Backed Memory	-	-
pagefile_0x00007ff780d40000	0x7ff780d40000	0x7ff780e3ffff	Pagefile Backed Memory	r	-
pagefile_0x00007ff780e40000	0x7ff780e40000	0x7ff780e62fff	Pagefile Backed Memory	r	-
private_0x00007ff780e68000	0x7ff780e68000	0x7ff780e68fff	Private Memory	rw	-
private_0x00007ff780e6c000	0x7ff780e6c000	0x7ff780e6dfff	Private Memory	rw	-
private_0x00007ff780e6e000	0x7ff780e6e000	0x7ff780e6ffff	Private Memory	rw	-
makecab.exe	0x7ff781df0000	0x7ff781e09fff	Memory Mapped File	rwx	-
version.dll	0x7ffb3d3b0000	0x7ffb3d3b9fff	Memory Mapped File	rwx	-
cabinet.dll	0x7ffb3e540000	0x7ffb3e566fff	Memory Mapped File	rwx	-
kernelbase.dll	0x7ffb45670000	0x7ffb4584cfff	Memory Mapped File	rwx	-
user32.dll	0x7ffb45c50000	0x7ffb45d9dfff	Memory Mapped File	rwx	-
kernel32.dll	0x7ffb45e10000	0x7ffb45ebcfff	Memory Mapped File	rwx	-
imm32.dll	0x7ffb46070000	0x7ffb460a5fff	Memory Mapped File	rwx	-
gdi32.dll	0x7ffb460c0000	0x7ffb46244fff	Memory Mapped File	rwx	-
msctf.dll	0x7ffb462d0000	0x7ffb4642bfff	Memory Mapped File	rwx	-
msvcrt.dll	0x7ffb48000000	0x7ffb4809cfff	Memory Mapped File	rwx	-
ntdll.dll	0x7ffb48180000	0x7ffb48341fff	Memory Mapped File	rwx	-

Created Files

Filename	File Size	Hash Values	Actions
setup.inf	0.93 KB	MD5: 52b50016ed572ded1de3687896aa83ad SHA1: 8ffcf485171d7e77b3156171e82cb7293dcd8db3 SHA256: bc55d8609514521f4433feaf43a2159c34bb6537907af11e9ef0c2aec3e0a8e8 SSDeep: 12:QxncDimwRL+unsP2neJhecfy+FkIncDimwRL+unhIv:QF8vwIun02nKheAyct8vwIunw	... File Actions Show Properties Download
setup.rpt	0.28 KB	MD5: 64a168c47cde012b32be601327ec526a SHA1: ba1287be83d885b83d92c819e02f4d39b4d43b84 SHA256: 5071a9809d9f61844fd29e6ead9856fa2cd3d716d5529bb18a74429e40aed501 SSDeep: 6:vgqG0l/ukwT2SVKQv7D0iws/bWiQTIKWd:vO0XwbBv7AiwsCWd	... File Actions Show Properties Download
C:\Users\CIIHMN~1\AppData\Local\Temp\inf_2120_3	0.03 KB	MD5: 31b8a869a5f32847349c4679b7640251 SHA1: 6329ef473a0a031d927b659d200559f05a4229e0 SHA256: ae494fd3f7e864fda30d394332d762197dcd306db8361b675b35c25c61ab743e SSDeep: 3:NLBocGDn:Zeca	... File Actions Show Properties Download
C:\Users\CIIHMN~1\AppData\Local\Temp\4D82\FE41.tmp	0.00 KB	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 SSDeep: 3::	... File Actions Show Properties
C:\Users\CIIHMN~1\AppData\Local\Temp\inf_2120_4	0.04 KB	MD5: fad5dc3d88f14b506a1cd1451f409122 SHA1: bacf424a3951506352c7640ed3c817551947eeb1 SHA256: ccdd94d2ac07b075d2ccc012ad5d1e2158a42d09d76b66d4caa1f378f5716fa8 SSDeep: 3:dJgVRl+znliduckvn:dq5+zliduLvn	... File Actions Show Properties Download
C:\Users\CIIHMN~1\AppData\Local\Temp\cab_2120_9	0.01 KB	MD5: 7b5b6c7bf41e6055abd4e74476e08575 SHA1: 5c05d3a68f69258d236f6d9677cc0a42e399e7cc SHA256: 2392619f397925a165cf31634781d68b006c396611c425f6c67f338356e47f8f SSDeep: 3:P:P	... File Actions Show Properties Download
C:\Users\CIIHMN~1\AppData\Local\Temp\6581.bin	0.16 KB	MD5: ecfac958e0043e93e2160bcd67689223 SHA1: 6c8a5d9683ee5fa40f64a5c595dd0a0e465ad2a5 SHA256: 5bcc28bbfe71eafc16513edc82137fb3628ee14472511aaca33bc9e436679bdd SSDeep: 3:wkltLl5/mh/LlElJ4RTlidNlQyiv2PuIX3Nv3BBNDKcwASzGEsKn:wsFmJLaGidNlQyivzIX9v33AczAGEn	... File Actions Show Properties Download
C:\Users\CIIHMN~1\AppData\Local\Temp\cab_2120_6	0.03 KB	MD5: f5229ed6188535f29d4909c9f66a1f5f SHA1: d06d9efab1170c6725dfdb57dca82ddd06deca40 SHA256: 6f7b57d84c1b52470cfea1bfdad7c331a6030e1cc18a49e5f1b62878492bf2d7 SSDeep: 3:54RTlidC:2idC	... File Actions Show Properties Download
C:\Users\CIIHMN~1\AppData\Local\Temp\inf_2120_2	0.02 KB	MD5: 4230347e5849e9c7230227a287ae4a41 SHA1: a3fa042694dc86f05973ac07231c95cf590d606a SHA256: 2484fa669042204d83d907de45012a2aef7f6687613ce76169097240415b0abd SSDeep: 3:R0qxv:Rf	... File Actions Show Properties Download
C:\Users\CIIHMN~1\AppData\Local\Temp\cab_2120_5	0.08 KB	MD5: 9b7c67062c98970fbeee70e704792806 SHA1: b3cc082505413056d39b66e9ac049956e8fe8f63 SHA256: 6b656634aeac7fd407ef0ef095563851a41af0b0ed7d74250eafb29c04f8205b SSDeep: 3:3lZjQyiv2PuIX3Nv3BBNDKcwASzGEsKn:rQyivzIX9v33AczAGEn	... File Actions Show Properties Download
C:\Users\CIIHMN~1\AppData\Local\Temp\cab_2120_7	0.08 KB	MD5: d1590e9fff9f288b89f78982a6ec02f1 SHA1: 4d8eb883e0994623bfb4d7eaf2b5717e92efb7db SHA256: d1b27b955b4ee705abdd8135d563f940f39766ff12237b08fde323a8c75a10eb SSDeep: 3:0lQyiv2PuIX3Nv3BBNDKcwASzGEsKn:0lQyivzIX9v33AczAGEn	... File Actions Show Properties Download

Threads

Thread 0x6e4

Category	Operation	Information	Count	Logfile
Module	Get Handle	module_name = c:\windows\system32\makecab.exe, base_address = 0x7ff781df0000	1	Fn
System	Get Info	type = Operating System	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x7ffb45e10000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = HeapSetInformation, address_out = 0x7ffb45e30f40	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\5CDD.bin, file_attributes = _O_EXCL	1	Fn
File	Read	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\5CDD.bin, size = 3	1	Fn Data
File	Read	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\5CDD.bin, size = 4096	1	Fn Data
File	Create	filename = CAB02120.TMP, file_attributes = _O_RDWR, _O_CREAT, _O_EXCL	1	Fn
File	Create	filename = setup.inf, file_attributes = _O_RDWR, _O_CREAT	1	Fn
File	Create	filename = CAB02120.TMP, file_attributes = _O_RDWR, _O_CREAT, _O_EXCL	1	Fn
File	Create	filename = setup.rpt, file_attributes = _O_RDWR, _O_CREAT	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\inf_2120_2, file_attributes = _O_WRONLY	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\inf_2120_3, file_attributes = _O_WRONLY	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\inf_2120_4, file_attributes = _O_WRONLY	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\5CDD.bin, file_attributes = _O_EXCL	1	Fn
File	Read	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\5CDD.bin, size = 3	1	Fn Data
File	Read	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\5CDD.bin, size = 4096	1	Fn Data
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\CAB02120.TMP, file_attributes = _O_RDWR, _O_CREAT, _O_EXCL	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\cab_2120_5, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_DELETE	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\cab_2120_6, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_DELETE	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\cab_2120_7, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_DELETE	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\cab_2120_8, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_DELETE	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\cab_2120_9, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_DELETE	1	Fn
File	Get Info	filename = 01D46BD24DAB98E809, type = file_attributes	1	Fn
File	Create	filename = 01D46BD24DAB98E809, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE	1	Fn
File	Read	size = 32768	1	Fn Data
File	Read	size = 32672	1	Fn
File	Write	size = 16	1	Fn Data
File	Write	size = 19	1	Fn Data
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\CAB02120.TMP, size = 8	1	Fn Data
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\CAB02120.TMP, size = 74	1	Fn Data
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\cab_2120_10, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_DELETE	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\cab_2120_11, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_DELETE	1	Fn
File	Read	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\CAB02120.TMP, size = 8	1	Fn Data
File	Read	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\CAB02120.TMP, size = 74	1	Fn Data
File	Write	size = 8	1	Fn Data
File	Write	size = 74	1	Fn Data
File	Read	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\CAB02120.TMP, size = 8	1	Fn
File	Write	size = 8	1	Fn Data
File	Read	size = 16	1	Fn Data
File	Read	size = 256	1	Fn Data
File	Write	size = 16	1	Fn Data
File	Write	size = 19	1	Fn Data
File	Read	size = 16	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\6581.bin, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_DELETE	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\CAB02120.TMP, size = 36	1	Fn Data
File	Read	size = 8	1	Fn Data
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\CAB02120.TMP, size = 8	1	Fn Data
File	Read	size = 8	1	Fn
File	Read	size = 32768	1	Fn Data
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\CAB02120.TMP, size = 35	1	Fn Data
File	Read	size = 32768	1	Fn
File	Read	size = 32768	1	Fn Data
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\CAB02120.TMP, size = 82	1	Fn Data
File	Read	size = 32768	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\CAB02120.TMP, size = 4	1	Fn Data
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\cab_2120_12, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_DELETE	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\cab_2120_13, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_DELETE	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\cab_2120_14, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_DELETE	1	Fn
File	Create	filename = setup.inf, file_attributes = _O_WRONLY \| _O_BINARY	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\inf_2120_2, file_attributes = _O_RDONLY \| _O_BINARY	1	Fn
File	Read	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\inf_2120_2, size = 2048, size_out = 23	1	Fn Data
File	Write	filename = setup.inf, size = 23	1	Fn Data
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\inf_2120_3, file_attributes = _O_RDONLY \| _O_BINARY	1	Fn
File	Read	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\inf_2120_3, size = 2048, size_out = 30	1	Fn Data
File	Write	filename = setup.inf, size = 30	1	Fn Data
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\inf_2120_4, file_attributes = _O_RDONLY \| _O_BINARY	1	Fn
File	Read	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\inf_2120_4, size = 2048, size_out = 40	1	Fn Data
File	Write	filename = setup.inf, size = 40	1	Fn Data
File	Create	filename = setup.rpt, file_attributes = _O_WRONLY	1	Fn

Process #13: systeminfo.exe

Information	Value
ID	#13
File Name	c:\windows\system32\systeminfo.exe
Command Line	systeminfo.exe
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:03:13, Reason: Child Process
Unmonitor	End Time: 00:03:20, Reason: Self Terminated
Monitor Duration	00:00:07
Remark	No high level activity detected in monitored regions

OS Process Information

Information	Value
PID	0xa90
Parent PID	0x560 (c:\windows\system32\cmd.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x BC4 0x B04 0x A28 0x B00 0x AEC

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	r	-
private_0x000000a19e6c0000	0xa19e6c0000	0xa19e6dffff	Private Memory	rw	-
pagefile_0x000000a19e6c0000	0xa19e6c0000	0xa19e6cffff	Pagefile Backed Memory	rw	-
private_0x000000a19e6d0000	0xa19e6d0000	0xa19e6d6fff	Private Memory	rw	-
pagefile_0x000000a19e6e0000	0xa19e6e0000	0xa19e6f3fff	Pagefile Backed Memory	r	-
private_0x000000a19e700000	0xa19e700000	0xa19e77ffff	Private Memory	rw	-
pagefile_0x000000a19e780000	0xa19e780000	0xa19e783fff	Pagefile Backed Memory	r	-
pagefile_0x000000a19e790000	0xa19e790000	0xa19e790fff	Pagefile Backed Memory	r	-
private_0x000000a19e7a0000	0xa19e7a0000	0xa19e7a1fff	Private Memory	rw	-
private_0x000000a19e7b0000	0xa19e7b0000	0xa19e7b6fff	Private Memory	rw	-
systeminfo.exe.mui	0xa19e7c0000	0xa19e7c3fff	Memory Mapped File	r	-
private_0x000000a19e7d0000	0xa19e7d0000	0xa19e7d0fff	Private Memory	rw	-
private_0x000000a19e7e0000	0xa19e7e0000	0xa19e8dffff	Private Memory	rw	-
locale.nls	0xa19e8e0000	0xa19e99dfff	Memory Mapped File	r	-
private_0x000000a19e9a0000	0xa19e9a0000	0xa19ea1ffff	Private Memory	rw	-
private_0x000000a19ea20000	0xa19ea20000	0xa19ea20fff	Private Memory	rw	-
pagefile_0x000000a19ea30000	0xa19ea30000	0xa19ea30fff	Pagefile Backed Memory	r	-
pagefile_0x000000a19ea40000	0xa19ea40000	0xa19ea40fff	Pagefile Backed Memory	r	-
private_0x000000a19ea50000	0xa19ea50000	0xa19eacffff	Private Memory	rw	-
private_0x000000a19ead0000	0xa19ead0000	0xa19eb4ffff	Private Memory	rw	-
private_0x000000a19eb50000	0xa19eb50000	0xa19eb5ffff	Private Memory	rw	-
pagefile_0x000000a19eb60000	0xa19eb60000	0xa19ece7fff	Pagefile Backed Memory	r	-
pagefile_0x000000a19ecf0000	0xa19ecf0000	0xa19ee70fff	Pagefile Backed Memory	r	-
pagefile_0x000000a19ee80000	0xa19ee80000	0xa1a027ffff	Pagefile Backed Memory	r	-
sortdefault.nls	0xa1a0280000	0xa1a05b6fff	Memory Mapped File	r	-
private_0x000000a1a05c0000	0xa1a05c0000	0xa1a063ffff	Private Memory	rw	-
pagefile_0x00007df5ffc30000	0x7df5ffc30000	0x7ff5ffc2ffff	Pagefile Backed Memory	-	-
pagefile_0x00007ff6b8ac0000	0x7ff6b8ac0000	0x7ff6b8bbffff	Pagefile Backed Memory	r	-
pagefile_0x00007ff6b8bc0000	0x7ff6b8bc0000	0x7ff6b8be2fff	Pagefile Backed Memory	r	-
private_0x00007ff6b8be5000	0x7ff6b8be5000	0x7ff6b8be5fff	Private Memory	rw	-
private_0x00007ff6b8be6000	0x7ff6b8be6000	0x7ff6b8be7fff	Private Memory	rw	-
private_0x00007ff6b8be8000	0x7ff6b8be8000	0x7ff6b8be9fff	Private Memory	rw	-
private_0x00007ff6b8bea000	0x7ff6b8bea000	0x7ff6b8bebfff	Private Memory	rw	-
private_0x00007ff6b8bec000	0x7ff6b8bec000	0x7ff6b8bedfff	Private Memory	rw	-
private_0x00007ff6b8bee000	0x7ff6b8bee000	0x7ff6b8beffff	Private Memory	rw	-
systeminfo.exe	0x7ff6b9aa0000	0x7ff6b9abcfff	Memory Mapped File	rwx	-
framedynos.dll	0x7ffb36180000	0x7ffb361cdfff	Memory Mapped File	rwx	-
wbemsvc.dll	0x7ffb38f70000	0x7ffb38f83fff	Memory Mapped File	rwx	-
fastprox.dll	0x7ffb38f90000	0x7ffb39087fff	Memory Mapped File	rwx	-
wbemprox.dll	0x7ffb397a0000	0x7ffb397b0fff	Memory Mapped File	rwx	-
version.dll	0x7ffb3d3b0000	0x7ffb3d3b9fff	Memory Mapped File	rwx	-
wbemcomn.dll	0x7ffb3db20000	0x7ffb3db9efff	Memory Mapped File	rwx	-
mpr.dll	0x7ffb43de0000	0x7ffb43dfbfff	Memory Mapped File	rwx	-
rsaenh.dll	0x7ffb44070000	0x7ffb440a2fff	Memory Mapped File	rwx	-
cryptsp.dll	0x7ffb44420000	0x7ffb44436fff	Memory Mapped File	rwx	-
cryptbase.dll	0x7ffb44590000	0x7ffb4459afff	Memory Mapped File	rwx	-
sspicli.dll	0x7ffb447d0000	0x7ffb447fbfff	Memory Mapped File	rwx	-
bcrypt.dll	0x7ffb449d0000	0x7ffb449f7fff	Memory Mapped File	rwx	-
bcryptprimitives.dll	0x7ffb44a00000	0x7ffb44a6afff	Memory Mapped File	rwx	-
kernel.appcore.dll	0x7ffb44c20000	0x7ffb44c2efff	Memory Mapped File	rwx	-
kernelbase.dll	0x7ffb45670000	0x7ffb4584cfff	Memory Mapped File	rwx	-
clbcatq.dll	0x7ffb45850000	0x7ffb458f4fff	Memory Mapped File	rwx	-
sechost.dll	0x7ffb45ac0000	0x7ffb45b1afff	Memory Mapped File	rwx	-
rpcrt4.dll	0x7ffb45b20000	0x7ffb45c45fff	Memory Mapped File	rwx	-
user32.dll	0x7ffb45c50000	0x7ffb45d9dfff	Memory Mapped File	rwx	-
ws2_32.dll	0x7ffb45da0000	0x7ffb45e08fff	Memory Mapped File	rwx	-
kernel32.dll	0x7ffb45e10000	0x7ffb45ebcfff	Memory Mapped File	rwx	-
imm32.dll	0x7ffb46070000	0x7ffb460a5fff	Memory Mapped File	rwx	-
gdi32.dll	0x7ffb460c0000	0x7ffb46244fff	Memory Mapped File	rwx	-
shlwapi.dll	0x7ffb46250000	0x7ffb462a0fff	Memory Mapped File	rwx	-
msctf.dll	0x7ffb462d0000	0x7ffb4642bfff	Memory Mapped File	rwx	-
combase.dll	0x7ffb46610000	0x7ffb4688bfff	Memory Mapped File	rwx	-
nsi.dll	0x7ffb47e20000	0x7ffb47e27fff	Memory Mapped File	rwx	-
advapi32.dll	0x7ffb47e30000	0x7ffb47ed5fff	Memory Mapped File	rwx	-
oleaut32.dll	0x7ffb47f40000	0x7ffb47ffdfff	Memory Mapped File	rwx	-
msvcrt.dll	0x7ffb48000000	0x7ffb4809cfff	Memory Mapped File	rwx	-
ntdll.dll	0x7ffb48180000	0x7ffb48341fff	Memory Mapped File	rwx	-

Process #19: cmd.exe

Information	Value
ID	#19
File Name	c:\windows\system32\cmd.exe
Command Line	cmd /C "echo -------- >> C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin1"
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:03:18, Reason: Child Process
Unmonitor	End Time: 00:03:20, Reason: Self Terminated
Monitor Duration	00:00:02

OS Process Information

Information	Value
PID	0x8f4
Parent PID	0x824 (c:\windows\explorer.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 9F4 0x 7F8

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	r	-
private_0x000000f209fc0000	0xf209fc0000	0xf209fdffff	Private Memory	rw	-
pagefile_0x000000f209fc0000	0xf209fc0000	0xf209fcffff	Pagefile Backed Memory	rw	-
private_0x000000f209fd0000	0xf209fd0000	0xf209fd6fff	Private Memory	rw	-
pagefile_0x000000f209fe0000	0xf209fe0000	0xf209ff3fff	Pagefile Backed Memory	r	-
private_0x000000f20a000000	0xf20a000000	0xf20a0fffff	Private Memory	rw	-
pagefile_0x000000f20a100000	0xf20a100000	0xf20a103fff	Pagefile Backed Memory	r	-
pagefile_0x000000f20a110000	0xf20a110000	0xf20a110fff	Pagefile Backed Memory	r	-
private_0x000000f20a120000	0xf20a120000	0xf20a121fff	Private Memory	rw	-
private_0x000000f20a130000	0xf20a130000	0xf20a136fff	Private Memory	rw	-
private_0x000000f20a170000	0xf20a170000	0xf20a26ffff	Private Memory	rw	-
locale.nls	0xf20a270000	0xf20a32dfff	Memory Mapped File	r	-
private_0x000000f20a330000	0xf20a330000	0xf20a42ffff	Private Memory	rw	-
private_0x000000f20a600000	0xf20a600000	0xf20a60ffff	Private Memory	rw	-
pagefile_0x00007df5ff350000	0x7df5ff350000	0x7ff5ff34ffff	Pagefile Backed Memory	-	-
pagefile_0x00007ff7b4650000	0x7ff7b4650000	0x7ff7b474ffff	Pagefile Backed Memory	r	-
pagefile_0x00007ff7b4750000	0x7ff7b4750000	0x7ff7b4772fff	Pagefile Backed Memory	r	-
private_0x00007ff7b477a000	0x7ff7b477a000	0x7ff7b477afff	Private Memory	rw	-
private_0x00007ff7b477c000	0x7ff7b477c000	0x7ff7b477dfff	Private Memory	rw	-
private_0x00007ff7b477e000	0x7ff7b477e000	0x7ff7b477ffff	Private Memory	rw	-
cmd.exe	0x7ff7b50b0000	0x7ff7b5108fff	Memory Mapped File	rwx	-
kernelbase.dll	0x7ffb45670000	0x7ffb4584cfff	Memory Mapped File	rwx	-
kernel32.dll	0x7ffb45e10000	0x7ffb45ebcfff	Memory Mapped File	rwx	-
msvcrt.dll	0x7ffb48000000	0x7ffb4809cfff	Memory Mapped File	rwx	-
ntdll.dll	0x7ffb48180000	0x7ffb48341fff	Memory Mapped File	rwx	-

Threads

Thread 0x9f4

Category	Operation	Information	Count	Logfile
Module	Get Handle	module_name = c:\windows\system32\cmd.exe, base_address = 0x7ff7b50b0000	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x7ffb45e10000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetThreadUILanguage, address_out = 0x7ffb45e2d550	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	3	Fn
File	Open	filename = STD_INPUT_HANDLE	2	Fn
Environment	Get Environment String	-	2	Fn Data
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data = 64, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 64, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data = 9, type = REG_NONE	1	Fn
Module	Get Filename	process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Environment	Get Environment String	name = PROMPT	1	Fn
Environment	Set Environment String	name = PROMPT, value = $P$G	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Get Environment String	name = COMSPEC, result_out = C:\Windows\system32\cmd.exe	1	Fn
Environment	Get Environment String	name = KEYS	1	Fn
File	Get Info	filename = C:\Windows\system32, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32, type = file_attributes	1	Fn
Environment	Set Environment String	name = =C:, value = C:\Windows\System32	1	Fn
Environment	Get Environment String	-	1	Fn Data
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x7ffb45e10000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CopyFileExW, address_out = 0x7ffb45e325e0	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = IsDebuggerPresent, address_out = 0x7ffb45e31f90	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetConsoleInputExeNameW, address_out = 0x7ffb456c3a10	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	3	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin1, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = size	1	Fn
File	Read	filename = STD_OUTPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 11	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn

Process #21: cmd.exe

Information	Value
ID	#21
File Name	c:\windows\system32\cmd.exe
Command Line	cmd /C "net view >> C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin1"
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:03:19, Reason: Child Process
Unmonitor	End Time: 00:03:32, Reason: Self Terminated
Monitor Duration	00:00:13

OS Process Information

Information	Value
PID	0x428
Parent PID	0x824 (c:\windows\explorer.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 534 0x 840

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	r	-
sortdefault.nls	0xb900000000	0xb900336fff	Memory Mapped File	r	-
private_0x000000b97f990000	0xb97f990000	0xb97f9affff	Private Memory	rw	-
pagefile_0x000000b97f990000	0xb97f990000	0xb97f99ffff	Pagefile Backed Memory	rw	-
private_0x000000b97f9a0000	0xb97f9a0000	0xb97f9a6fff	Private Memory	rw	-
pagefile_0x000000b97f9b0000	0xb97f9b0000	0xb97f9c3fff	Pagefile Backed Memory	r	-
private_0x000000b97f9d0000	0xb97f9d0000	0xb97facffff	Private Memory	rw	-
pagefile_0x000000b97fad0000	0xb97fad0000	0xb97fad3fff	Pagefile Backed Memory	r	-
pagefile_0x000000b97fae0000	0xb97fae0000	0xb97fae0fff	Pagefile Backed Memory	r	-
private_0x000000b97faf0000	0xb97faf0000	0xb97faf1fff	Private Memory	rw	-
locale.nls	0xb97fb00000	0xb97fbbdfff	Memory Mapped File	r	-
private_0x000000b97fbc0000	0xb97fbc0000	0xb97fbc6fff	Private Memory	rw	-
private_0x000000b97fbd0000	0xb97fbd0000	0xb97fccffff	Private Memory	rw	-
private_0x000000b97fcd0000	0xb97fcd0000	0xb97fdcffff	Private Memory	rw	-
private_0x000000b97fe30000	0xb97fe30000	0xb97fe3ffff	Private Memory	rw	-
pagefile_0x00007df5ff040000	0x7df5ff040000	0x7ff5ff03ffff	Pagefile Backed Memory	-	-
pagefile_0x00007ff7b4980000	0x7ff7b4980000	0x7ff7b4a7ffff	Pagefile Backed Memory	r	-
pagefile_0x00007ff7b4a80000	0x7ff7b4a80000	0x7ff7b4aa2fff	Pagefile Backed Memory	r	-
private_0x00007ff7b4aab000	0x7ff7b4aab000	0x7ff7b4aacfff	Private Memory	rw	-
private_0x00007ff7b4aad000	0x7ff7b4aad000	0x7ff7b4aaefff	Private Memory	rw	-
private_0x00007ff7b4aaf000	0x7ff7b4aaf000	0x7ff7b4aaffff	Private Memory	rw	-
cmd.exe	0x7ff7b50b0000	0x7ff7b5108fff	Memory Mapped File	rwx	-
kernelbase.dll	0x7ffb45670000	0x7ffb4584cfff	Memory Mapped File	rwx	-
kernel32.dll	0x7ffb45e10000	0x7ffb45ebcfff	Memory Mapped File	rwx	-
msvcrt.dll	0x7ffb48000000	0x7ffb4809cfff	Memory Mapped File	rwx	-
ntdll.dll	0x7ffb48180000	0x7ffb48341fff	Memory Mapped File	rwx	-

Threads

Thread 0x534

Category	Operation	Information	Count	Logfile
Module	Get Handle	module_name = c:\windows\system32\cmd.exe, base_address = 0x7ff7b50b0000	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x7ffb45e10000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetThreadUILanguage, address_out = 0x7ffb45e2d550	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	3	Fn
File	Open	filename = STD_INPUT_HANDLE	2	Fn
Environment	Get Environment String	-	2	Fn Data
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data = 64, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 64, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data = 9, type = REG_NONE	1	Fn
Module	Get Filename	process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Environment	Get Environment String	name = PROMPT	1	Fn
Environment	Set Environment String	name = PROMPT, value = $P$G	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Get Environment String	name = COMSPEC, result_out = C:\Windows\system32\cmd.exe	1	Fn
Environment	Get Environment String	name = KEYS	1	Fn
File	Get Info	filename = C:\Windows\system32, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32, type = file_attributes	1	Fn
Environment	Set Environment String	name = =C:, value = C:\Windows\System32	1	Fn
Environment	Get Environment String	-	1	Fn Data
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x7ffb45e10000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CopyFileExW, address_out = 0x7ffb45e325e0	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = IsDebuggerPresent, address_out = 0x7ffb45e31f90	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetConsoleInputExeNameW, address_out = 0x7ffb456c3a10	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	3	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin1, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = size	1	Fn
File	Read	filename = STD_OUTPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
Environment	Get Environment String	name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Process	Create	process_name = C:\Windows\system32\net.exe, os_pid = 0x2c8, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL	1	Fn
Environment	Set Environment String	name = COPYCMD	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Set Environment String	name = =ExitCode, value = 00000002	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Set Environment String	name = =ExitCodeAscii	1	Fn
Environment	Get Environment String	-	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn

Process #23: net.exe

Information	Value
ID	#23
File Name	c:\windows\system32\net.exe
Command Line	net view
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:03:19, Reason: Child Process
Unmonitor	End Time: 00:03:32, Reason: Self Terminated
Monitor Duration	00:00:13
Remark	No high level activity detected in monitored regions

OS Process Information

Information	Value
PID	0x2c8
Parent PID	0x428 (c:\windows\system32\cmd.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 15C 0x 1B4

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	r	-
private_0x000000f4ed910000	0xf4ed910000	0xf4ed92ffff	Private Memory	rw	-
pagefile_0x000000f4ed910000	0xf4ed910000	0xf4ed91ffff	Pagefile Backed Memory	rw	-
private_0x000000f4ed920000	0xf4ed920000	0xf4ed926fff	Private Memory	rw	-
pagefile_0x000000f4ed930000	0xf4ed930000	0xf4ed943fff	Pagefile Backed Memory	r	-
private_0x000000f4ed950000	0xf4ed950000	0xf4ed9cffff	Private Memory	rw	-
pagefile_0x000000f4ed9d0000	0xf4ed9d0000	0xf4ed9d3fff	Pagefile Backed Memory	r	-
pagefile_0x000000f4ed9e0000	0xf4ed9e0000	0xf4ed9e0fff	Pagefile Backed Memory	r	-
private_0x000000f4ed9f0000	0xf4ed9f0000	0xf4ed9f1fff	Private Memory	rw	-
locale.nls	0xf4eda00000	0xf4edabdfff	Memory Mapped File	r	-
private_0x000000f4edac0000	0xf4edac0000	0xf4edb3ffff	Private Memory	rw	-
private_0x000000f4edb40000	0xf4edb40000	0xf4edb46fff	Private Memory	rw	-
netmsg.dll	0xf4edb50000	0xf4edb52fff	Memory Mapped File	rwx	-
netmsg.dll.mui	0xf4edb60000	0xf4edb91fff	Memory Mapped File	r	-
private_0x000000f4edba0000	0xf4edba0000	0xf4edc9ffff	Private Memory	rw	-
private_0x000000f4edd90000	0xf4edd90000	0xf4edd9ffff	Private Memory	rw	-
pagefile_0x00007df5ffc40000	0x7df5ffc40000	0x7ff5ffc3ffff	Pagefile Backed Memory	-	-
pagefile_0x00007ff669bb0000	0x7ff669bb0000	0x7ff669caffff	Pagefile Backed Memory	r	-
pagefile_0x00007ff669cb0000	0x7ff669cb0000	0x7ff669cd2fff	Pagefile Backed Memory	r	-
private_0x00007ff669cda000	0x7ff669cda000	0x7ff669cdbfff	Private Memory	rw	-
private_0x00007ff669cdc000	0x7ff669cdc000	0x7ff669cdcfff	Private Memory	rw	-
private_0x00007ff669cde000	0x7ff669cde000	0x7ff669cdffff	Private Memory	rw	-
net.exe	0x7ff66a400000	0x7ff66a41cfff	Memory Mapped File	rwx	-
cscapi.dll	0x7ffb3a360000	0x7ffb3a371fff	Memory Mapped File	rwx	-
browcli.dll	0x7ffb3c800000	0x7ffb3c813fff	Memory Mapped File	rwx	-
samcli.dll	0x7ffb41140000	0x7ffb41157fff	Memory Mapped File	rwx	-
wkscli.dll	0x7ffb416a0000	0x7ffb416b5fff	Memory Mapped File	rwx	-
winnsi.dll	0x7ffb423e0000	0x7ffb423eafff	Memory Mapped File	rwx	-
iphlpapi.dll	0x7ffb42400000	0x7ffb42437fff	Memory Mapped File	rwx	-
mpr.dll	0x7ffb43de0000	0x7ffb43dfbfff	Memory Mapped File	rwx	-
netutils.dll	0x7ffb43e00000	0x7ffb43e0bfff	Memory Mapped File	rwx	-
srvcli.dll	0x7ffb43e10000	0x7ffb43e35fff	Memory Mapped File	rwx	-
bcrypt.dll	0x7ffb449d0000	0x7ffb449f7fff	Memory Mapped File	rwx	-
kernelbase.dll	0x7ffb45670000	0x7ffb4584cfff	Memory Mapped File	rwx	-
sechost.dll	0x7ffb45ac0000	0x7ffb45b1afff	Memory Mapped File	rwx	-
rpcrt4.dll	0x7ffb45b20000	0x7ffb45c45fff	Memory Mapped File	rwx	-
kernel32.dll	0x7ffb45e10000	0x7ffb45ebcfff	Memory Mapped File	rwx	-
nsi.dll	0x7ffb47e20000	0x7ffb47e27fff	Memory Mapped File	rwx	-
msvcrt.dll	0x7ffb48000000	0x7ffb4809cfff	Memory Mapped File	rwx	-
ntdll.dll	0x7ffb48180000	0x7ffb48341fff	Memory Mapped File	rwx	-

Process #24: cmd.exe

Information	Value
ID	#24
File Name	c:\windows\system32\cmd.exe
Command Line	cmd /C "echo -------- >> C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin1"
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:03:31, Reason: Child Process
Unmonitor	End Time: 00:03:32, Reason: Self Terminated
Monitor Duration	00:00:01

OS Process Information

Information	Value
PID	0x200
Parent PID	0x824 (c:\windows\explorer.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 24C 0x 380

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	r	-
private_0x0000004007660000	0x4007660000	0x400767ffff	Private Memory	rw	-
pagefile_0x0000004007660000	0x4007660000	0x400766ffff	Pagefile Backed Memory	rw	-
private_0x0000004007670000	0x4007670000	0x4007676fff	Private Memory	rw	-
pagefile_0x0000004007680000	0x4007680000	0x4007693fff	Pagefile Backed Memory	r	-
private_0x00000040076a0000	0x40076a0000	0x400779ffff	Private Memory	rw	-
pagefile_0x00000040077a0000	0x40077a0000	0x40077a3fff	Pagefile Backed Memory	r	-
pagefile_0x00000040077b0000	0x40077b0000	0x40077b0fff	Pagefile Backed Memory	r	-
private_0x00000040077c0000	0x40077c0000	0x40077c1fff	Private Memory	rw	-
locale.nls	0x40077d0000	0x400788dfff	Memory Mapped File	r	-
private_0x0000004007890000	0x4007890000	0x4007896fff	Private Memory	rw	-
private_0x0000004007910000	0x4007910000	0x4007a0ffff	Private Memory	rw	-
private_0x0000004007a10000	0x4007a10000	0x4007b0ffff	Private Memory	rw	-
private_0x0000004007c60000	0x4007c60000	0x4007c6ffff	Private Memory	rw	-
pagefile_0x00007df5ff030000	0x7df5ff030000	0x7ff5ff02ffff	Pagefile Backed Memory	-	-
pagefile_0x00007ff7b4440000	0x7ff7b4440000	0x7ff7b453ffff	Pagefile Backed Memory	r	-
pagefile_0x00007ff7b4540000	0x7ff7b4540000	0x7ff7b4562fff	Pagefile Backed Memory	r	-
private_0x00007ff7b456b000	0x7ff7b456b000	0x7ff7b456cfff	Private Memory	rw	-
private_0x00007ff7b456d000	0x7ff7b456d000	0x7ff7b456efff	Private Memory	rw	-
private_0x00007ff7b456f000	0x7ff7b456f000	0x7ff7b456ffff	Private Memory	rw	-
cmd.exe	0x7ff7b50b0000	0x7ff7b5108fff	Memory Mapped File	rwx	-
kernelbase.dll	0x7ffb45670000	0x7ffb4584cfff	Memory Mapped File	rwx	-
kernel32.dll	0x7ffb45e10000	0x7ffb45ebcfff	Memory Mapped File	rwx	-
msvcrt.dll	0x7ffb48000000	0x7ffb4809cfff	Memory Mapped File	rwx	-
ntdll.dll	0x7ffb48180000	0x7ffb48341fff	Memory Mapped File	rwx	-

Threads

Thread 0x24c

Category	Operation	Information	Count	Logfile
Module	Get Handle	module_name = c:\windows\system32\cmd.exe, base_address = 0x7ff7b50b0000	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x7ffb45e10000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetThreadUILanguage, address_out = 0x7ffb45e2d550	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	3	Fn
File	Open	filename = STD_INPUT_HANDLE	2	Fn
Environment	Get Environment String	-	2	Fn Data
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data = 64, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 64, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data = 9, type = REG_NONE	1	Fn
Module	Get Filename	process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Environment	Get Environment String	name = PROMPT	1	Fn
Environment	Set Environment String	name = PROMPT, value = $P$G	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Get Environment String	name = COMSPEC, result_out = C:\Windows\system32\cmd.exe	1	Fn
Environment	Get Environment String	name = KEYS	1	Fn
File	Get Info	filename = C:\Windows\system32, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32, type = file_attributes	1	Fn
Environment	Set Environment String	name = =C:, value = C:\Windows\System32	1	Fn
Environment	Get Environment String	-	1	Fn Data
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x7ffb45e10000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CopyFileExW, address_out = 0x7ffb45e325e0	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = IsDebuggerPresent, address_out = 0x7ffb45e31f90	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetConsoleInputExeNameW, address_out = 0x7ffb456c3a10	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	3	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin1, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = size	1	Fn
File	Read	filename = STD_OUTPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 11	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn

Process #26: cmd.exe

Information	Value
ID	#26
File Name	c:\windows\system32\cmd.exe
Command Line	cmd /C "nslookup 127.0.0.1 >> C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin1"
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:03:31, Reason: Child Process
Unmonitor	End Time: 00:03:33, Reason: Self Terminated
Monitor Duration	00:00:02

OS Process Information

Information	Value
PID	0x8cc
Parent PID	0x824 (c:\windows\explorer.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 8EC 0x F0

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	r	-
private_0x000000bc5c220000	0xbc5c220000	0xbc5c23ffff	Private Memory	rw	-
pagefile_0x000000bc5c220000	0xbc5c220000	0xbc5c22ffff	Pagefile Backed Memory	rw	-
private_0x000000bc5c230000	0xbc5c230000	0xbc5c236fff	Private Memory	rw	-
pagefile_0x000000bc5c240000	0xbc5c240000	0xbc5c253fff	Pagefile Backed Memory	r	-
private_0x000000bc5c260000	0xbc5c260000	0xbc5c35ffff	Private Memory	rw	-
pagefile_0x000000bc5c360000	0xbc5c360000	0xbc5c363fff	Pagefile Backed Memory	r	-
pagefile_0x000000bc5c370000	0xbc5c370000	0xbc5c370fff	Pagefile Backed Memory	r	-
private_0x000000bc5c380000	0xbc5c380000	0xbc5c381fff	Private Memory	rw	-
locale.nls	0xbc5c390000	0xbc5c44dfff	Memory Mapped File	r	-
private_0x000000bc5c450000	0xbc5c450000	0xbc5c54ffff	Private Memory	rw	-
private_0x000000bc5c550000	0xbc5c550000	0xbc5c64ffff	Private Memory	rw	-
private_0x000000bc5c650000	0xbc5c650000	0xbc5c656fff	Private Memory	rw	-
private_0x000000bc5c750000	0xbc5c750000	0xbc5c75ffff	Private Memory	rw	-
sortdefault.nls	0xbc5c760000	0xbc5ca96fff	Memory Mapped File	r	-
pagefile_0x00007df5ff1e0000	0x7df5ff1e0000	0x7ff5ff1dffff	Pagefile Backed Memory	-	-
pagefile_0x00007ff7b3fc0000	0x7ff7b3fc0000	0x7ff7b40bffff	Pagefile Backed Memory	r	-
pagefile_0x00007ff7b40c0000	0x7ff7b40c0000	0x7ff7b40e2fff	Pagefile Backed Memory	r	-
private_0x00007ff7b40e6000	0x7ff7b40e6000	0x7ff7b40e6fff	Private Memory	rw	-
private_0x00007ff7b40ec000	0x7ff7b40ec000	0x7ff7b40edfff	Private Memory	rw	-
private_0x00007ff7b40ee000	0x7ff7b40ee000	0x7ff7b40effff	Private Memory	rw	-
cmd.exe	0x7ff7b50b0000	0x7ff7b5108fff	Memory Mapped File	rwx	-
kernelbase.dll	0x7ffb45670000	0x7ffb4584cfff	Memory Mapped File	rwx	-
kernel32.dll	0x7ffb45e10000	0x7ffb45ebcfff	Memory Mapped File	rwx	-
msvcrt.dll	0x7ffb48000000	0x7ffb4809cfff	Memory Mapped File	rwx	-
ntdll.dll	0x7ffb48180000	0x7ffb48341fff	Memory Mapped File	rwx	-

Threads

Thread 0x8ec

Category	Operation	Information	Count	Logfile
Module	Get Handle	module_name = c:\windows\system32\cmd.exe, base_address = 0x7ff7b50b0000	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x7ffb45e10000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetThreadUILanguage, address_out = 0x7ffb45e2d550	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	3	Fn
File	Open	filename = STD_INPUT_HANDLE	2	Fn
Environment	Get Environment String	-	2	Fn Data
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data = 64, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 64, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data = 9, type = REG_NONE	1	Fn
Module	Get Filename	process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Environment	Get Environment String	name = PROMPT	1	Fn
Environment	Set Environment String	name = PROMPT, value = $P$G	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Get Environment String	name = COMSPEC, result_out = C:\Windows\system32\cmd.exe	1	Fn
Environment	Get Environment String	name = KEYS	1	Fn
File	Get Info	filename = C:\Windows\system32, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32, type = file_attributes	1	Fn
Environment	Set Environment String	name = =C:, value = C:\Windows\System32	1	Fn
Environment	Get Environment String	-	1	Fn Data
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x7ffb45e10000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CopyFileExW, address_out = 0x7ffb45e325e0	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = IsDebuggerPresent, address_out = 0x7ffb45e31f90	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetConsoleInputExeNameW, address_out = 0x7ffb456c3a10	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	3	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin1, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = size	1	Fn
File	Read	filename = STD_OUTPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
Environment	Get Environment String	name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Process	Create	process_name = C:\Windows\system32\nslookup.exe, os_pid = 0x410, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL	1	Fn
Environment	Set Environment String	name = COPYCMD	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Set Environment String	name = =ExitCode, value = 00000000	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Set Environment String	name = =ExitCodeAscii	1	Fn
Environment	Get Environment String	-	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn

Process #28: nslookup.exe

Information	Value
ID	#28
File Name	c:\windows\system32\nslookup.exe
Command Line	nslookup 127.0.0.1
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:03:32, Reason: Child Process
Unmonitor	End Time: 00:03:33, Reason: Self Terminated
Monitor Duration	00:00:01

OS Process Information

Information	Value
PID	0x410
Parent PID	0x8cc (c:\windows\system32\cmd.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 44C 0x 4B8 0x 618

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	r	-
private_0x000000e0fc2c0000	0xe0fc2c0000	0xe0fc2dffff	Private Memory	rw	-
pagefile_0x000000e0fc2c0000	0xe0fc2c0000	0xe0fc2cffff	Pagefile Backed Memory	rw	-
private_0x000000e0fc2d0000	0xe0fc2d0000	0xe0fc2d6fff	Private Memory	rw	-
pagefile_0x000000e0fc2e0000	0xe0fc2e0000	0xe0fc2f3fff	Pagefile Backed Memory	r	-
private_0x000000e0fc300000	0xe0fc300000	0xe0fc37ffff	Private Memory	rw	-
pagefile_0x000000e0fc380000	0xe0fc380000	0xe0fc383fff	Pagefile Backed Memory	r	-
pagefile_0x000000e0fc390000	0xe0fc390000	0xe0fc390fff	Pagefile Backed Memory	r	-
private_0x000000e0fc3a0000	0xe0fc3a0000	0xe0fc3a1fff	Private Memory	rw	-
private_0x000000e0fc3b0000	0xe0fc3b0000	0xe0fc42ffff	Private Memory	rw	-
private_0x000000e0fc430000	0xe0fc430000	0xe0fc436fff	Private Memory	rw	-
private_0x000000e0fc440000	0xe0fc440000	0xe0fc53ffff	Private Memory	rw	-
locale.nls	0xe0fc540000	0xe0fc5fdfff	Memory Mapped File	r	-
imm32.dll	0xe0fc600000	0xe0fc633fff	Memory Mapped File	r	-
nslookup.exe.mui	0xe0fc600000	0xe0fc604fff	Memory Mapped File	r	-
private_0x000000e0fc610000	0xe0fc610000	0xe0fc610fff	Private Memory	rw	-
private_0x000000e0fc620000	0xe0fc620000	0xe0fc620fff	Private Memory	rw	-
private_0x000000e0fc640000	0xe0fc640000	0xe0fc64ffff	Private Memory	rw	-
pagefile_0x000000e0fc650000	0xe0fc650000	0xe0fc7d7fff	Pagefile Backed Memory	r	-
pagefile_0x000000e0fc7e0000	0xe0fc7e0000	0xe0fc960fff	Pagefile Backed Memory	r	-
pagefile_0x000000e0fc970000	0xe0fc970000	0xe0fdd6ffff	Pagefile Backed Memory	r	-
pagefile_0x00007df5ff600000	0x7df5ff600000	0x7ff5ff5fffff	Pagefile Backed Memory	-	-
pagefile_0x00007ff762b10000	0x7ff762b10000	0x7ff762c0ffff	Pagefile Backed Memory	r	-
pagefile_0x00007ff762c10000	0x7ff762c10000	0x7ff762c32fff	Pagefile Backed Memory	r	-
private_0x00007ff762c3b000	0x7ff762c3b000	0x7ff762c3cfff	Private Memory	rw	-
private_0x00007ff762c3d000	0x7ff762c3d000	0x7ff762c3efff	Private Memory	rw	-
private_0x00007ff762c3f000	0x7ff762c3f000	0x7ff762c3ffff	Private Memory	rw	-
nslookup.exe	0x7ff763260000	0x7ff76327afff	Memory Mapped File	rwx	-
napinsp.dll	0x7ffb3a160000	0x7ffb3a174fff	Memory Mapped File	rwx	-
pnrpnsp.dll	0x7ffb3a1c0000	0x7ffb3a1d9fff	Memory Mapped File	rwx	-
winrnr.dll	0x7ffb3a1e0000	0x7ffb3a1ecfff	Memory Mapped File	rwx	-
dhcpcsvc.dll	0x7ffb41300000	0x7ffb41319fff	Memory Mapped File	rwx	-
dhcpcsvc6.dll	0x7ffb41320000	0x7ffb41335fff	Memory Mapped File	rwx	-
nlaapi.dll	0x7ffb41f20000	0x7ffb41f37fff	Memory Mapped File	rwx	-
winnsi.dll	0x7ffb423e0000	0x7ffb423eafff	Memory Mapped File	rwx	-
iphlpapi.dll	0x7ffb42400000	0x7ffb42437fff	Memory Mapped File	rwx	-
dnsapi.dll	0x7ffb441c0000	0x7ffb44267fff	Memory Mapped File	rwx	-
mswsock.dll	0x7ffb443c0000	0x7ffb4441cfff	Memory Mapped File	rwx	-
kernelbase.dll	0x7ffb45670000	0x7ffb4584cfff	Memory Mapped File	rwx	-
sechost.dll	0x7ffb45ac0000	0x7ffb45b1afff	Memory Mapped File	rwx	-
rpcrt4.dll	0x7ffb45b20000	0x7ffb45c45fff	Memory Mapped File	rwx	-
user32.dll	0x7ffb45c50000	0x7ffb45d9dfff	Memory Mapped File	rwx	-
ws2_32.dll	0x7ffb45da0000	0x7ffb45e08fff	Memory Mapped File	rwx	-
kernel32.dll	0x7ffb45e10000	0x7ffb45ebcfff	Memory Mapped File	rwx	-
imm32.dll	0x7ffb46070000	0x7ffb460a5fff	Memory Mapped File	rwx	-
gdi32.dll	0x7ffb460c0000	0x7ffb46244fff	Memory Mapped File	rwx	-
msctf.dll	0x7ffb462d0000	0x7ffb4642bfff	Memory Mapped File	rwx	-
nsi.dll	0x7ffb47e20000	0x7ffb47e27fff	Memory Mapped File	rwx	-
msvcrt.dll	0x7ffb48000000	0x7ffb4809cfff	Memory Mapped File	rwx	-
ntdll.dll	0x7ffb48180000	0x7ffb48341fff	Memory Mapped File	rwx	-

Threads

Thread 0x44c

Category	Operation	Information	Count	Logfile
Module	Get Handle	module_name = c:\windows\system32\nslookup.exe, base_address = 0x7ff763260000	1	Fn
Socket	Create	protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM	1	Fn
Socket	Close	type = SOCK_DGRAM	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters, value_name = DNSLookupOrder	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters, value_name = Domain	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters, value_name = DhcpDomain	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\DNSClient	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters, value_name = SearchList	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters, value_name = DhcpSearchList	1	Fn
DNS	Get Hostname	name_out = LHnIwsj	1	Fn
Socket	Create	protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM	1	Fn
Socket	Connect	remote_address = 192.168.0.1, remote_port = 53	1	Fn
Socket	Send	flags = NO_FLAG_SET, size = 42, size_out = 42	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 65536, size_out = 42	1	Fn Data
Socket	Close	type = SOCK_DGRAM	1	Fn
Socket	Create	protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM	1	Fn
Socket	Connect	remote_address = 192.168.0.1, remote_port = 53	1	Fn
Socket	Send	flags = NO_FLAG_SET, size = 40, size_out = 40	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 65536, size_out = 63	1	Fn Data
Socket	Close	type = SOCK_DGRAM	1	Fn

Process #29: cmd.exe

Information	Value
ID	#29
File Name	c:\windows\system32\cmd.exe
Command Line	cmd /C "echo -------- >> C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin1"
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:03:32, Reason: Child Process
Unmonitor	End Time: 00:03:33, Reason: Self Terminated
Monitor Duration	00:00:01

OS Process Information

Information	Value
PID	0x274
Parent PID	0x824 (c:\windows\explorer.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 770 0x 630

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	r	-
private_0x0000008eec0a0000	0x8eec0a0000	0x8eec0bffff	Private Memory	rw	-
pagefile_0x0000008eec0a0000	0x8eec0a0000	0x8eec0affff	Pagefile Backed Memory	rw	-
private_0x0000008eec0b0000	0x8eec0b0000	0x8eec0b6fff	Private Memory	rw	-
pagefile_0x0000008eec0c0000	0x8eec0c0000	0x8eec0d3fff	Pagefile Backed Memory	r	-
private_0x0000008eec0e0000	0x8eec0e0000	0x8eec1dffff	Private Memory	rw	-
pagefile_0x0000008eec1e0000	0x8eec1e0000	0x8eec1e3fff	Pagefile Backed Memory	r	-
pagefile_0x0000008eec1f0000	0x8eec1f0000	0x8eec1f0fff	Pagefile Backed Memory	r	-
private_0x0000008eec200000	0x8eec200000	0x8eec201fff	Private Memory	rw	-
locale.nls	0x8eec210000	0x8eec2cdfff	Memory Mapped File	r	-
private_0x0000008eec2d0000	0x8eec2d0000	0x8eec2d6fff	Private Memory	rw	-
private_0x0000008eec370000	0x8eec370000	0x8eec46ffff	Private Memory	rw	-
private_0x0000008eec470000	0x8eec470000	0x8eec56ffff	Private Memory	rw	-
private_0x0000008eec660000	0x8eec660000	0x8eec66ffff	Private Memory	rw	-
pagefile_0x00007df5ffc90000	0x7df5ffc90000	0x7ff5ffc8ffff	Pagefile Backed Memory	-	-
pagefile_0x00007ff7b4de0000	0x7ff7b4de0000	0x7ff7b4edffff	Pagefile Backed Memory	r	-
pagefile_0x00007ff7b4ee0000	0x7ff7b4ee0000	0x7ff7b4f02fff	Pagefile Backed Memory	r	-
private_0x00007ff7b4f0a000	0x7ff7b4f0a000	0x7ff7b4f0bfff	Private Memory	rw	-
private_0x00007ff7b4f0c000	0x7ff7b4f0c000	0x7ff7b4f0dfff	Private Memory	rw	-
private_0x00007ff7b4f0e000	0x7ff7b4f0e000	0x7ff7b4f0efff	Private Memory	rw	-
cmd.exe	0x7ff7b50b0000	0x7ff7b5108fff	Memory Mapped File	rwx	-
kernelbase.dll	0x7ffb45670000	0x7ffb4584cfff	Memory Mapped File	rwx	-
kernel32.dll	0x7ffb45e10000	0x7ffb45ebcfff	Memory Mapped File	rwx	-
msvcrt.dll	0x7ffb48000000	0x7ffb4809cfff	Memory Mapped File	rwx	-
ntdll.dll	0x7ffb48180000	0x7ffb48341fff	Memory Mapped File	rwx	-

Threads

Thread 0x770

Category	Operation	Information	Count	Logfile
Module	Get Handle	module_name = c:\windows\system32\cmd.exe, base_address = 0x7ff7b50b0000	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x7ffb45e10000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetThreadUILanguage, address_out = 0x7ffb45e2d550	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	3	Fn
File	Open	filename = STD_INPUT_HANDLE	2	Fn
Environment	Get Environment String	-	2	Fn Data
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data = 64, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 64, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data = 9, type = REG_NONE	1	Fn
Module	Get Filename	process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Environment	Get Environment String	name = PROMPT	1	Fn
Environment	Set Environment String	name = PROMPT, value = $P$G	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Get Environment String	name = COMSPEC, result_out = C:\Windows\system32\cmd.exe	1	Fn
Environment	Get Environment String	name = KEYS	1	Fn
File	Get Info	filename = C:\Windows\system32, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32, type = file_attributes	1	Fn
Environment	Set Environment String	name = =C:, value = C:\Windows\System32	1	Fn
Environment	Get Environment String	-	1	Fn Data
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x7ffb45e10000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CopyFileExW, address_out = 0x7ffb45e325e0	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = IsDebuggerPresent, address_out = 0x7ffb45e31f90	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetConsoleInputExeNameW, address_out = 0x7ffb456c3a10	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	3	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin1, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = size	1	Fn
File	Read	filename = STD_OUTPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 11	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn

Process #31: cmd.exe

Information	Value
ID	#31
File Name	c:\windows\system32\cmd.exe
Command Line	cmd /C "tasklist.exe /SVC >> C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin1"
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:03:32, Reason: Child Process
Unmonitor	End Time: 00:03:34, Reason: Self Terminated
Monitor Duration	00:00:02

OS Process Information

Information	Value
PID	0xb18
Parent PID	0x824 (c:\windows\explorer.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x BEC 0x 124

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	r	-
private_0x00000012561c0000	0x12561c0000	0x12561dffff	Private Memory	rw	-
pagefile_0x00000012561c0000	0x12561c0000	0x12561cffff	Pagefile Backed Memory	rw	-
private_0x00000012561d0000	0x12561d0000	0x12561d6fff	Private Memory	rw	-
pagefile_0x00000012561e0000	0x12561e0000	0x12561f3fff	Pagefile Backed Memory	r	-
private_0x0000001256200000	0x1256200000	0x12562fffff	Private Memory	rw	-
pagefile_0x0000001256300000	0x1256300000	0x1256303fff	Pagefile Backed Memory	r	-
pagefile_0x0000001256310000	0x1256310000	0x1256310fff	Pagefile Backed Memory	r	-
private_0x0000001256320000	0x1256320000	0x1256321fff	Private Memory	rw	-
private_0x0000001256330000	0x1256330000	0x1256336fff	Private Memory	rw	-
private_0x0000001256380000	0x1256380000	0x125647ffff	Private Memory	rw	-
locale.nls	0x1256480000	0x125653dfff	Memory Mapped File	r	-
private_0x0000001256540000	0x1256540000	0x125663ffff	Private Memory	rw	-
private_0x0000001256740000	0x1256740000	0x125674ffff	Private Memory	rw	-
sortdefault.nls	0x1256750000	0x1256a86fff	Memory Mapped File	r	-
pagefile_0x00007df5fffa0000	0x7df5fffa0000	0x7ff5fff9ffff	Pagefile Backed Memory	-	-
pagefile_0x00007ff7b4450000	0x7ff7b4450000	0x7ff7b454ffff	Pagefile Backed Memory	r	-
pagefile_0x00007ff7b4550000	0x7ff7b4550000	0x7ff7b4572fff	Pagefile Backed Memory	r	-
private_0x00007ff7b457b000	0x7ff7b457b000	0x7ff7b457cfff	Private Memory	rw	-
private_0x00007ff7b457d000	0x7ff7b457d000	0x7ff7b457efff	Private Memory	rw	-
private_0x00007ff7b457f000	0x7ff7b457f000	0x7ff7b457ffff	Private Memory	rw	-
cmd.exe	0x7ff7b50b0000	0x7ff7b5108fff	Memory Mapped File	rwx	-
kernelbase.dll	0x7ffb45670000	0x7ffb4584cfff	Memory Mapped File	rwx	-
kernel32.dll	0x7ffb45e10000	0x7ffb45ebcfff	Memory Mapped File	rwx	-
msvcrt.dll	0x7ffb48000000	0x7ffb4809cfff	Memory Mapped File	rwx	-
ntdll.dll	0x7ffb48180000	0x7ffb48341fff	Memory Mapped File	rwx	-

Threads

Thread 0xbec

Category	Operation	Information	Count	Logfile
Module	Get Handle	module_name = c:\windows\system32\cmd.exe, base_address = 0x7ff7b50b0000	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x7ffb45e10000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetThreadUILanguage, address_out = 0x7ffb45e2d550	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	3	Fn
File	Open	filename = STD_INPUT_HANDLE	2	Fn
Environment	Get Environment String	-	2	Fn Data
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data = 64, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 64, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data = 9, type = REG_NONE	1	Fn
Module	Get Filename	process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Environment	Get Environment String	name = PROMPT	1	Fn
Environment	Set Environment String	name = PROMPT, value = $P$G	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Get Environment String	name = COMSPEC, result_out = C:\Windows\system32\cmd.exe	1	Fn
Environment	Get Environment String	name = KEYS	1	Fn
File	Get Info	filename = C:\Windows\system32, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32, type = file_attributes	1	Fn
Environment	Set Environment String	name = =C:, value = C:\Windows\System32	1	Fn
Environment	Get Environment String	-	1	Fn Data
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x7ffb45e10000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CopyFileExW, address_out = 0x7ffb45e325e0	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = IsDebuggerPresent, address_out = 0x7ffb45e31f90	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetConsoleInputExeNameW, address_out = 0x7ffb456c3a10	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	3	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin1, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = size	1	Fn
File	Read	filename = STD_OUTPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Get Info	filename = tasklist.exe, type = file_attributes	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Process	Create	process_name = C:\Windows\system32\tasklist.exe, os_pid = 0xa3c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL	1	Fn
Environment	Set Environment String	name = COPYCMD	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Set Environment String	name = =ExitCode, value = 00000000	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Set Environment String	name = =ExitCodeAscii	1	Fn
Environment	Get Environment String	-	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn

Process #33: tasklist.exe

Information	Value
ID	#33
File Name	c:\windows\system32\tasklist.exe
Command Line	tasklist.exe /SVC
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:03:32, Reason: Child Process
Unmonitor	End Time: 00:03:33, Reason: Self Terminated
Monitor Duration	00:00:01
Remark	No high level activity detected in monitored regions

OS Process Information

Information	Value
PID	0xa3c
Parent PID	0xb18 (c:\windows\system32\cmd.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 558 0x 540 0x 984 0x 8E0 0x 880

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	r	-
private_0x000000020fbd0000	0x20fbd0000	0x20fbeffff	Private Memory	rw	-
pagefile_0x000000020fbd0000	0x20fbd0000	0x20fbdffff	Pagefile Backed Memory	rw	-
private_0x000000020fbe0000	0x20fbe0000	0x20fbe6fff	Private Memory	rw	-
pagefile_0x000000020fbf0000	0x20fbf0000	0x20fc03fff	Pagefile Backed Memory	r	-
private_0x000000020fc10000	0x20fc10000	0x20fc8ffff	Private Memory	rw	-
pagefile_0x000000020fc90000	0x20fc90000	0x20fc93fff	Pagefile Backed Memory	r	-
pagefile_0x000000020fca0000	0x20fca0000	0x20fca0fff	Pagefile Backed Memory	r	-
private_0x000000020fcb0000	0x20fcb0000	0x20fcb1fff	Private Memory	rw	-
locale.nls	0x20fcc0000	0x20fd7dfff	Memory Mapped File	r	-
private_0x000000020fd80000	0x20fd80000	0x20fdfffff	Private Memory	rw	-
private_0x000000020fe00000	0x20fe00000	0x20fe06fff	Private Memory	rw	-
tasklist.exe.mui	0x20fe10000	0x20fe13fff	Memory Mapped File	r	-
private_0x000000020fe20000	0x20fe20000	0x20ff1ffff	Private Memory	rw	-
pagefile_0x000000020ff20000	0x20ff20000	0x2100a7fff	Pagefile Backed Memory	r	-
private_0x00000002100b0000	0x2100b0000	0x2100b0fff	Private Memory	rw	-
private_0x00000002100c0000	0x2100c0000	0x2100c0fff	Private Memory	rw	-
pagefile_0x00000002100d0000	0x2100d0000	0x2100d0fff	Pagefile Backed Memory	r	-
pagefile_0x00000002100e0000	0x2100e0000	0x2100e0fff	Pagefile Backed Memory	r	-
wmiutils.dll.mui	0x2100f0000	0x2100f4fff	Memory Mapped File	r	-
private_0x0000000210110000	0x210110000	0x21011ffff	Private Memory	rw	-
pagefile_0x0000000210120000	0x210120000	0x2102a0fff	Pagefile Backed Memory	r	-
pagefile_0x00000002102b0000	0x2102b0000	0x2116affff	Pagefile Backed Memory	r	-
sortdefault.nls	0x2116b0000	0x2119e6fff	Memory Mapped File	r	-
kernelbase.dll.mui	0x2119f0000	0x211acefff	Memory Mapped File	r	-
private_0x0000000211ad0000	0x211ad0000	0x211b4ffff	Private Memory	rw	-
private_0x0000000211b50000	0x211b50000	0x211bcffff	Private Memory	rw	-
private_0x0000000211bd0000	0x211bd0000	0x211c4ffff	Private Memory	rw	-
pagefile_0x00007df5ff470000	0x7df5ff470000	0x7ff5ff46ffff	Pagefile Backed Memory	-	-
pagefile_0x00007ff6f1a80000	0x7ff6f1a80000	0x7ff6f1b7ffff	Pagefile Backed Memory	r	-
pagefile_0x00007ff6f1b80000	0x7ff6f1b80000	0x7ff6f1ba2fff	Pagefile Backed Memory	r	-
private_0x00007ff6f1ba4000	0x7ff6f1ba4000	0x7ff6f1ba5fff	Private Memory	rw	-
private_0x00007ff6f1ba6000	0x7ff6f1ba6000	0x7ff6f1ba7fff	Private Memory	rw	-
private_0x00007ff6f1ba8000	0x7ff6f1ba8000	0x7ff6f1ba8fff	Private Memory	rw	-
private_0x00007ff6f1baa000	0x7ff6f1baa000	0x7ff6f1babfff	Private Memory	rw	-
private_0x00007ff6f1bac000	0x7ff6f1bac000	0x7ff6f1badfff	Private Memory	rw	-
private_0x00007ff6f1bae000	0x7ff6f1bae000	0x7ff6f1baffff	Private Memory	rw	-
tasklist.exe	0x7ff6f26c0000	0x7ff6f26dcfff	Memory Mapped File	rwx	-
dbghelp.dll	0x7ffb35d00000	0x7ffb35e89fff	Memory Mapped File	rwx	-
framedynos.dll	0x7ffb36180000	0x7ffb361cdfff	Memory Mapped File	rwx	-
wmiutils.dll	0x7ffb38f40000	0x7ffb38f64fff	Memory Mapped File	rwx	-
wbemsvc.dll	0x7ffb38f70000	0x7ffb38f83fff	Memory Mapped File	rwx	-
fastprox.dll	0x7ffb38f90000	0x7ffb39087fff	Memory Mapped File	rwx	-
wbemprox.dll	0x7ffb397a0000	0x7ffb397b0fff	Memory Mapped File	rwx	-
version.dll	0x7ffb3d3b0000	0x7ffb3d3b9fff	Memory Mapped File	rwx	-
wbemcomn.dll	0x7ffb3db20000	0x7ffb3db9efff	Memory Mapped File	rwx	-
mpr.dll	0x7ffb43de0000	0x7ffb43dfbfff	Memory Mapped File	rwx	-
netutils.dll	0x7ffb43e00000	0x7ffb43e0bfff	Memory Mapped File	rwx	-
srvcli.dll	0x7ffb43e10000	0x7ffb43e35fff	Memory Mapped File	rwx	-
rsaenh.dll	0x7ffb44070000	0x7ffb440a2fff	Memory Mapped File	rwx	-
cryptsp.dll	0x7ffb44420000	0x7ffb44436fff	Memory Mapped File	rwx	-
cryptbase.dll	0x7ffb44590000	0x7ffb4459afff	Memory Mapped File	rwx	-
winsta.dll	0x7ffb44620000	0x7ffb44677fff	Memory Mapped File	rwx	-
sspicli.dll	0x7ffb447d0000	0x7ffb447fbfff	Memory Mapped File	rwx	-
bcrypt.dll	0x7ffb449d0000	0x7ffb449f7fff	Memory Mapped File	rwx	-
bcryptprimitives.dll	0x7ffb44a00000	0x7ffb44a6afff	Memory Mapped File	rwx	-
kernel.appcore.dll	0x7ffb44c20000	0x7ffb44c2efff	Memory Mapped File	rwx	-
kernelbase.dll	0x7ffb45670000	0x7ffb4584cfff	Memory Mapped File	rwx	-
clbcatq.dll	0x7ffb45850000	0x7ffb458f4fff	Memory Mapped File	rwx	-
sechost.dll	0x7ffb45ac0000	0x7ffb45b1afff	Memory Mapped File	rwx	-
rpcrt4.dll	0x7ffb45b20000	0x7ffb45c45fff	Memory Mapped File	rwx	-
user32.dll	0x7ffb45c50000	0x7ffb45d9dfff	Memory Mapped File	rwx	-
ws2_32.dll	0x7ffb45da0000	0x7ffb45e08fff	Memory Mapped File	rwx	-
kernel32.dll	0x7ffb45e10000	0x7ffb45ebcfff	Memory Mapped File	rwx	-
imm32.dll	0x7ffb46070000	0x7ffb460a5fff	Memory Mapped File	rwx	-
gdi32.dll	0x7ffb460c0000	0x7ffb46244fff	Memory Mapped File	rwx	-
shlwapi.dll	0x7ffb46250000	0x7ffb462a0fff	Memory Mapped File	rwx	-
msctf.dll	0x7ffb462d0000	0x7ffb4642bfff	Memory Mapped File	rwx	-
combase.dll	0x7ffb46610000	0x7ffb4688bfff	Memory Mapped File	rwx	-
nsi.dll	0x7ffb47e20000	0x7ffb47e27fff	Memory Mapped File	rwx	-
advapi32.dll	0x7ffb47e30000	0x7ffb47ed5fff	Memory Mapped File	rwx	-
oleaut32.dll	0x7ffb47f40000	0x7ffb47ffdfff	Memory Mapped File	rwx	-
msvcrt.dll	0x7ffb48000000	0x7ffb4809cfff	Memory Mapped File	rwx	-
ntdll.dll	0x7ffb48180000	0x7ffb48341fff	Memory Mapped File	rwx	-

Process #34: cmd.exe

Information	Value
ID	#34
File Name	c:\windows\system32\cmd.exe
Command Line	cmd /C "echo -------- >> C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin1"
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:03:33, Reason: Child Process
Unmonitor	End Time: 00:03:34, Reason: Self Terminated
Monitor Duration	00:00:01

OS Process Information

Information	Value
PID	0xbbc
Parent PID	0x824 (c:\windows\explorer.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x BFC 0x AEC

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	r	-
private_0x00000073a5b40000	0x73a5b40000	0x73a5b5ffff	Private Memory	rw	-
pagefile_0x00000073a5b40000	0x73a5b40000	0x73a5b4ffff	Pagefile Backed Memory	rw	-
private_0x00000073a5b50000	0x73a5b50000	0x73a5b56fff	Private Memory	rw	-
pagefile_0x00000073a5b60000	0x73a5b60000	0x73a5b73fff	Pagefile Backed Memory	r	-
private_0x00000073a5b80000	0x73a5b80000	0x73a5c7ffff	Private Memory	rw	-
pagefile_0x00000073a5c80000	0x73a5c80000	0x73a5c83fff	Pagefile Backed Memory	r	-
pagefile_0x00000073a5c90000	0x73a5c90000	0x73a5c90fff	Pagefile Backed Memory	r	-
private_0x00000073a5ca0000	0x73a5ca0000	0x73a5ca1fff	Private Memory	rw	-
locale.nls	0x73a5cb0000	0x73a5d6dfff	Memory Mapped File	r	-
private_0x00000073a5d70000	0x73a5d70000	0x73a5d76fff	Private Memory	rw	-
private_0x00000073a5e30000	0x73a5e30000	0x73a5f2ffff	Private Memory	rw	-
private_0x00000073a5f30000	0x73a5f30000	0x73a602ffff	Private Memory	rw	-
private_0x00000073a6190000	0x73a6190000	0x73a619ffff	Private Memory	rw	-
pagefile_0x00007df5ff980000	0x7df5ff980000	0x7ff5ff97ffff	Pagefile Backed Memory	-	-
pagefile_0x00007ff7b4010000	0x7ff7b4010000	0x7ff7b410ffff	Pagefile Backed Memory	r	-
pagefile_0x00007ff7b4110000	0x7ff7b4110000	0x7ff7b4132fff	Pagefile Backed Memory	r	-
private_0x00007ff7b413b000	0x7ff7b413b000	0x7ff7b413bfff	Private Memory	rw	-
private_0x00007ff7b413c000	0x7ff7b413c000	0x7ff7b413dfff	Private Memory	rw	-
private_0x00007ff7b413e000	0x7ff7b413e000	0x7ff7b413ffff	Private Memory	rw	-
cmd.exe	0x7ff7b50b0000	0x7ff7b5108fff	Memory Mapped File	rwx	-
kernelbase.dll	0x7ffb45670000	0x7ffb4584cfff	Memory Mapped File	rwx	-
kernel32.dll	0x7ffb45e10000	0x7ffb45ebcfff	Memory Mapped File	rwx	-
msvcrt.dll	0x7ffb48000000	0x7ffb4809cfff	Memory Mapped File	rwx	-
ntdll.dll	0x7ffb48180000	0x7ffb48341fff	Memory Mapped File	rwx	-

Threads

Thread 0xbfc

Category	Operation	Information	Count	Logfile
Module	Get Handle	module_name = c:\windows\system32\cmd.exe, base_address = 0x7ff7b50b0000	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x7ffb45e10000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetThreadUILanguage, address_out = 0x7ffb45e2d550	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	3	Fn
File	Open	filename = STD_INPUT_HANDLE	2	Fn
Environment	Get Environment String	-	2	Fn Data
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data = 64, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 64, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data = 9, type = REG_NONE	1	Fn
Module	Get Filename	process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Environment	Get Environment String	name = PROMPT	1	Fn
Environment	Set Environment String	name = PROMPT, value = $P$G	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Get Environment String	name = COMSPEC, result_out = C:\Windows\system32\cmd.exe	1	Fn
Environment	Get Environment String	name = KEYS	1	Fn
File	Get Info	filename = C:\Windows\system32, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32, type = file_attributes	1	Fn
Environment	Set Environment String	name = =C:, value = C:\Windows\System32	1	Fn
Environment	Get Environment String	-	1	Fn Data
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x7ffb45e10000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CopyFileExW, address_out = 0x7ffb45e325e0	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = IsDebuggerPresent, address_out = 0x7ffb45e31f90	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetConsoleInputExeNameW, address_out = 0x7ffb456c3a10	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	3	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin1, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = size	1	Fn
File	Read	filename = STD_OUTPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 11	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn

Process #36: cmd.exe

Information	Value
ID	#36
File Name	c:\windows\system32\cmd.exe
Command Line	cmd /C "driverquery.exe >> C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin1"
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:03:33, Reason: Child Process
Unmonitor	End Time: 00:03:38, Reason: Self Terminated
Monitor Duration	00:00:05

OS Process Information

Information	Value
PID	0xb00
Parent PID	0x824 (c:\windows\explorer.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x BC4 0x 5A8

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	r	-
private_0x000000be8d000000	0xbe8d000000	0xbe8d01ffff	Private Memory	rw	-
pagefile_0x000000be8d000000	0xbe8d000000	0xbe8d00ffff	Pagefile Backed Memory	rw	-
private_0x000000be8d010000	0xbe8d010000	0xbe8d016fff	Private Memory	rw	-
pagefile_0x000000be8d020000	0xbe8d020000	0xbe8d033fff	Pagefile Backed Memory	r	-
private_0x000000be8d040000	0xbe8d040000	0xbe8d13ffff	Private Memory	rw	-
pagefile_0x000000be8d140000	0xbe8d140000	0xbe8d143fff	Pagefile Backed Memory	r	-
pagefile_0x000000be8d150000	0xbe8d150000	0xbe8d150fff	Pagefile Backed Memory	r	-
private_0x000000be8d160000	0xbe8d160000	0xbe8d161fff	Private Memory	rw	-
locale.nls	0xbe8d170000	0xbe8d22dfff	Memory Mapped File	r	-
private_0x000000be8d230000	0xbe8d230000	0xbe8d236fff	Private Memory	rw	-
private_0x000000be8d280000	0xbe8d280000	0xbe8d37ffff	Private Memory	rw	-
private_0x000000be8d380000	0xbe8d380000	0xbe8d47ffff	Private Memory	rw	-
private_0x000000be8d560000	0xbe8d560000	0xbe8d56ffff	Private Memory	rw	-
sortdefault.nls	0xbe8d570000	0xbe8d8a6fff	Memory Mapped File	r	-
pagefile_0x00007df5ff340000	0x7df5ff340000	0x7ff5ff33ffff	Pagefile Backed Memory	-	-
pagefile_0x00007ff7b4100000	0x7ff7b4100000	0x7ff7b41fffff	Pagefile Backed Memory	r	-
pagefile_0x00007ff7b4200000	0x7ff7b4200000	0x7ff7b4222fff	Pagefile Backed Memory	r	-
private_0x00007ff7b422b000	0x7ff7b422b000	0x7ff7b422bfff	Private Memory	rw	-
private_0x00007ff7b422c000	0x7ff7b422c000	0x7ff7b422dfff	Private Memory	rw	-
private_0x00007ff7b422e000	0x7ff7b422e000	0x7ff7b422ffff	Private Memory	rw	-
cmd.exe	0x7ff7b50b0000	0x7ff7b5108fff	Memory Mapped File	rwx	-
kernelbase.dll	0x7ffb45670000	0x7ffb4584cfff	Memory Mapped File	rwx	-
kernel32.dll	0x7ffb45e10000	0x7ffb45ebcfff	Memory Mapped File	rwx	-
msvcrt.dll	0x7ffb48000000	0x7ffb4809cfff	Memory Mapped File	rwx	-
ntdll.dll	0x7ffb48180000	0x7ffb48341fff	Memory Mapped File	rwx	-

Threads

Thread 0xbc4

Category	Operation	Information	Count	Logfile
Module	Get Handle	module_name = c:\windows\system32\cmd.exe, base_address = 0x7ff7b50b0000	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x7ffb45e10000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetThreadUILanguage, address_out = 0x7ffb45e2d550	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	3	Fn
File	Open	filename = STD_INPUT_HANDLE	2	Fn
Environment	Get Environment String	-	2	Fn Data
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data = 64, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 64, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data = 9, type = REG_NONE	1	Fn
Module	Get Filename	process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Environment	Get Environment String	name = PROMPT	1	Fn
Environment	Set Environment String	name = PROMPT, value = $P$G	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Get Environment String	name = COMSPEC, result_out = C:\Windows\system32\cmd.exe	1	Fn
Environment	Get Environment String	name = KEYS	1	Fn
File	Get Info	filename = C:\Windows\system32, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32, type = file_attributes	1	Fn
Environment	Set Environment String	name = =C:, value = C:\Windows\System32	1	Fn
Environment	Get Environment String	-	1	Fn Data
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x7ffb45e10000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CopyFileExW, address_out = 0x7ffb45e325e0	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = IsDebuggerPresent, address_out = 0x7ffb45e31f90	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetConsoleInputExeNameW, address_out = 0x7ffb456c3a10	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	3	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin1, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = size	1	Fn
File	Read	filename = STD_OUTPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Get Info	filename = driverquery.exe, type = file_attributes	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Process	Create	process_name = C:\Windows\system32\driverquery.exe, os_pid = 0x9a8, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL	1	Fn
Environment	Set Environment String	name = COPYCMD	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Set Environment String	name = =ExitCode, value = 00000000	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Set Environment String	name = =ExitCodeAscii	1	Fn
Environment	Get Environment String	-	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn

Process #38: driverquery.exe

Information	Value
ID	#38
File Name	c:\windows\system32\driverquery.exe
Command Line	driverquery.exe
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:03:33, Reason: Child Process
Unmonitor	End Time: 00:03:38, Reason: Self Terminated
Monitor Duration	00:00:05
Remark	No high level activity detected in monitored regions

OS Process Information

Information	Value
PID	0x9a8
Parent PID	0xb00 (c:\windows\system32\cmd.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 8E4 0x 9F4 0x 7F8 0x 554 0x 7C4

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	r	-
private_0x000000a5cfdc0000	0xa5cfdc0000	0xa5cfddffff	Private Memory	rw	-
pagefile_0x000000a5cfdc0000	0xa5cfdc0000	0xa5cfdcffff	Pagefile Backed Memory	rw	-
private_0x000000a5cfdd0000	0xa5cfdd0000	0xa5cfdd6fff	Private Memory	rw	-
pagefile_0x000000a5cfde0000	0xa5cfde0000	0xa5cfdf3fff	Pagefile Backed Memory	r	-
private_0x000000a5cfe00000	0xa5cfe00000	0xa5cfe7ffff	Private Memory	rw	-
pagefile_0x000000a5cfe80000	0xa5cfe80000	0xa5cfe83fff	Pagefile Backed Memory	r	-
pagefile_0x000000a5cfe90000	0xa5cfe90000	0xa5cfe90fff	Pagefile Backed Memory	r	-
private_0x000000a5cfea0000	0xa5cfea0000	0xa5cfea1fff	Private Memory	rw	-
locale.nls	0xa5cfeb0000	0xa5cff6dfff	Memory Mapped File	r	-
private_0x000000a5cff70000	0xa5cff70000	0xa5cffeffff	Private Memory	rw	-
private_0x000000a5cfff0000	0xa5cfff0000	0xa5d00effff	Private Memory	rw	-
private_0x000000a5d00f0000	0xa5d00f0000	0xa5d00f6fff	Private Memory	rw	-
driverquery.exe.mui	0xa5d0100000	0xa5d0103fff	Memory Mapped File	r	-
private_0x000000a5d0110000	0xa5d0110000	0xa5d0110fff	Private Memory	rw	-
private_0x000000a5d0120000	0xa5d0120000	0xa5d0120fff	Private Memory	rw	-
private_0x000000a5d01c0000	0xa5d01c0000	0xa5d01cffff	Private Memory	rw	-
pagefile_0x000000a5d01d0000	0xa5d01d0000	0xa5d0357fff	Pagefile Backed Memory	r	-
pagefile_0x000000a5d0360000	0xa5d0360000	0xa5d04e0fff	Pagefile Backed Memory	r	-
pagefile_0x000000a5d04f0000	0xa5d04f0000	0xa5d18effff	Pagefile Backed Memory	r	-
sortdefault.nls	0xa5d18f0000	0xa5d1c26fff	Memory Mapped File	r	-
private_0x000000a5d1dc0000	0xa5d1dc0000	0xa5d1dcffff	Private Memory	rw	-
pagefile_0x00007df5ff760000	0x7df5ff760000	0x7ff5ff75ffff	Pagefile Backed Memory	-	-
pagefile_0x00007ff653e30000	0x7ff653e30000	0x7ff653f2ffff	Pagefile Backed Memory	r	-
pagefile_0x00007ff653f30000	0x7ff653f30000	0x7ff653f52fff	Pagefile Backed Memory	r	-
private_0x00007ff653f56000	0x7ff653f56000	0x7ff653f56fff	Private Memory	rw	-
private_0x00007ff653f5c000	0x7ff653f5c000	0x7ff653f5dfff	Private Memory	rw	-
private_0x00007ff653f5e000	0x7ff653f5e000	0x7ff653f5ffff	Private Memory	rw	-
driverquery.exe	0x7ff654e20000	0x7ff654e38fff	Memory Mapped File	rwx	-
framedynos.dll	0x7ffb36180000	0x7ffb361cdfff	Memory Mapped File	rwx	-
version.dll	0x7ffb3d3b0000	0x7ffb3d3b9fff	Memory Mapped File	rwx	-
uxtheme.dll	0x7ffb43480000	0x7ffb43515fff	Memory Mapped File	rwx	-
mpr.dll	0x7ffb43de0000	0x7ffb43dfbfff	Memory Mapped File	rwx	-
netutils.dll	0x7ffb43e00000	0x7ffb43e0bfff	Memory Mapped File	rwx	-
srvcli.dll	0x7ffb43e10000	0x7ffb43e35fff	Memory Mapped File	rwx	-
sspicli.dll	0x7ffb447d0000	0x7ffb447fbfff	Memory Mapped File	rwx	-
bcryptprimitives.dll	0x7ffb44a00000	0x7ffb44a6afff	Memory Mapped File	rwx	-
kernel.appcore.dll	0x7ffb44c20000	0x7ffb44c2efff	Memory Mapped File	rwx	-
kernelbase.dll	0x7ffb45670000	0x7ffb4584cfff	Memory Mapped File	rwx	-
sechost.dll	0x7ffb45ac0000	0x7ffb45b1afff	Memory Mapped File	rwx	-
rpcrt4.dll	0x7ffb45b20000	0x7ffb45c45fff	Memory Mapped File	rwx	-
user32.dll	0x7ffb45c50000	0x7ffb45d9dfff	Memory Mapped File	rwx	-
ws2_32.dll	0x7ffb45da0000	0x7ffb45e08fff	Memory Mapped File	rwx	-
kernel32.dll	0x7ffb45e10000	0x7ffb45ebcfff	Memory Mapped File	rwx	-
imm32.dll	0x7ffb46070000	0x7ffb460a5fff	Memory Mapped File	rwx	-
gdi32.dll	0x7ffb460c0000	0x7ffb46244fff	Memory Mapped File	rwx	-
shlwapi.dll	0x7ffb46250000	0x7ffb462a0fff	Memory Mapped File	rwx	-
msctf.dll	0x7ffb462d0000	0x7ffb4642bfff	Memory Mapped File	rwx	-
combase.dll	0x7ffb46610000	0x7ffb4688bfff	Memory Mapped File	rwx	-
nsi.dll	0x7ffb47e20000	0x7ffb47e27fff	Memory Mapped File	rwx	-
oleaut32.dll	0x7ffb47f40000	0x7ffb47ffdfff	Memory Mapped File	rwx	-
msvcrt.dll	0x7ffb48000000	0x7ffb4809cfff	Memory Mapped File	rwx	-
ntdll.dll	0x7ffb48180000	0x7ffb48341fff	Memory Mapped File	rwx	-

Process #39: cmd.exe

Information	Value
ID	#39
File Name	c:\windows\system32\cmd.exe
Command Line	cmd /C "echo -------- >> C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin1"
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:03:36, Reason: Child Process
Unmonitor	End Time: 00:03:38, Reason: Self Terminated
Monitor Duration	00:00:02

OS Process Information

Information	Value
PID	0x8c0
Parent PID	0x824 (c:\windows\explorer.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x B0 0x 8F8

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	r	-
private_0x00000022cdd60000	0x22cdd60000	0x22cdd7ffff	Private Memory	rw	-
pagefile_0x00000022cdd60000	0x22cdd60000	0x22cdd6ffff	Pagefile Backed Memory	rw	-
private_0x00000022cdd70000	0x22cdd70000	0x22cdd76fff	Private Memory	rw	-
pagefile_0x00000022cdd80000	0x22cdd80000	0x22cdd93fff	Pagefile Backed Memory	r	-
private_0x00000022cdda0000	0x22cdda0000	0x22cde9ffff	Private Memory	rw	-
pagefile_0x00000022cdea0000	0x22cdea0000	0x22cdea3fff	Pagefile Backed Memory	r	-
pagefile_0x00000022cdeb0000	0x22cdeb0000	0x22cdeb0fff	Pagefile Backed Memory	r	-
private_0x00000022cdec0000	0x22cdec0000	0x22cdec1fff	Private Memory	rw	-
locale.nls	0x22cded0000	0x22cdf8dfff	Memory Mapped File	r	-
private_0x00000022cdf90000	0x22cdf90000	0x22cdf96fff	Private Memory	rw	-
private_0x00000022ce020000	0x22ce020000	0x22ce11ffff	Private Memory	rw	-
private_0x00000022ce120000	0x22ce120000	0x22ce21ffff	Private Memory	rw	-
private_0x00000022ce3f0000	0x22ce3f0000	0x22ce3fffff	Private Memory	rw	-
pagefile_0x00007df5ff470000	0x7df5ff470000	0x7ff5ff46ffff	Pagefile Backed Memory	-	-
pagefile_0x00007ff7b49c0000	0x7ff7b49c0000	0x7ff7b4abffff	Pagefile Backed Memory	r	-
pagefile_0x00007ff7b4ac0000	0x7ff7b4ac0000	0x7ff7b4ae2fff	Pagefile Backed Memory	r	-
private_0x00007ff7b4ae7000	0x7ff7b4ae7000	0x7ff7b4ae7fff	Private Memory	rw	-
private_0x00007ff7b4aec000	0x7ff7b4aec000	0x7ff7b4aedfff	Private Memory	rw	-
private_0x00007ff7b4aee000	0x7ff7b4aee000	0x7ff7b4aeffff	Private Memory	rw	-
cmd.exe	0x7ff7b50b0000	0x7ff7b5108fff	Memory Mapped File	rwx	-
kernelbase.dll	0x7ffb45670000	0x7ffb4584cfff	Memory Mapped File	rwx	-
kernel32.dll	0x7ffb45e10000	0x7ffb45ebcfff	Memory Mapped File	rwx	-
msvcrt.dll	0x7ffb48000000	0x7ffb4809cfff	Memory Mapped File	rwx	-
ntdll.dll	0x7ffb48180000	0x7ffb48341fff	Memory Mapped File	rwx	-

Threads

Thread 0xb0

Category	Operation	Information	Count	Logfile
Module	Get Handle	module_name = c:\windows\system32\cmd.exe, base_address = 0x7ff7b50b0000	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x7ffb45e10000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetThreadUILanguage, address_out = 0x7ffb45e2d550	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	3	Fn
File	Open	filename = STD_INPUT_HANDLE	2	Fn
Environment	Get Environment String	-	2	Fn Data
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data = 64, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 64, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data = 9, type = REG_NONE	1	Fn
Module	Get Filename	process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Environment	Get Environment String	name = PROMPT	1	Fn
Environment	Set Environment String	name = PROMPT, value = $P$G	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Get Environment String	name = COMSPEC, result_out = C:\Windows\system32\cmd.exe	1	Fn
Environment	Get Environment String	name = KEYS	1	Fn
File	Get Info	filename = C:\Windows\system32, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32, type = file_attributes	1	Fn
Environment	Set Environment String	name = =C:, value = C:\Windows\System32	1	Fn
Environment	Get Environment String	-	1	Fn Data
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x7ffb45e10000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CopyFileExW, address_out = 0x7ffb45e325e0	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = IsDebuggerPresent, address_out = 0x7ffb45e31f90	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetConsoleInputExeNameW, address_out = 0x7ffb456c3a10	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	3	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin1, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = size	1	Fn
File	Read	filename = STD_OUTPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 11	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn

Process #41: cmd.exe

Information	Value
ID	#41
File Name	c:\windows\system32\cmd.exe
Command Line	cmd /C "reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s >> C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin1"
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:03:37, Reason: Child Process
Unmonitor	End Time: 00:03:41, Reason: Self Terminated
Monitor Duration	00:00:04

OS Process Information

Information	Value
PID	0xb6c
Parent PID	0x824 (c:\windows\explorer.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 7E8 0x A94

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	r	-
private_0x00000071556e0000	0x71556e0000	0x71556fffff	Private Memory	rw	-
pagefile_0x00000071556e0000	0x71556e0000	0x71556effff	Pagefile Backed Memory	rw	-
private_0x00000071556f0000	0x71556f0000	0x71556f6fff	Private Memory	rw	-
pagefile_0x0000007155700000	0x7155700000	0x7155713fff	Pagefile Backed Memory	r	-
private_0x0000007155720000	0x7155720000	0x715581ffff	Private Memory	rw	-
pagefile_0x0000007155820000	0x7155820000	0x7155823fff	Pagefile Backed Memory	r	-
pagefile_0x0000007155830000	0x7155830000	0x7155830fff	Pagefile Backed Memory	r	-
private_0x0000007155840000	0x7155840000	0x7155841fff	Private Memory	rw	-
locale.nls	0x7155850000	0x715590dfff	Memory Mapped File	r	-
private_0x0000007155910000	0x7155910000	0x7155916fff	Private Memory	rw	-
private_0x0000007155950000	0x7155950000	0x7155a4ffff	Private Memory	rw	-
private_0x0000007155a50000	0x7155a50000	0x7155b4ffff	Private Memory	rw	-
private_0x0000007155cb0000	0x7155cb0000	0x7155cbffff	Private Memory	rw	-
sortdefault.nls	0x7155cc0000	0x7155ff6fff	Memory Mapped File	r	-
pagefile_0x00007df5ff730000	0x7df5ff730000	0x7ff5ff72ffff	Pagefile Backed Memory	-	-
pagefile_0x00007ff7b4190000	0x7ff7b4190000	0x7ff7b428ffff	Pagefile Backed Memory	r	-
pagefile_0x00007ff7b4290000	0x7ff7b4290000	0x7ff7b42b2fff	Pagefile Backed Memory	r	-
private_0x00007ff7b42b9000	0x7ff7b42b9000	0x7ff7b42b9fff	Private Memory	rw	-
private_0x00007ff7b42bc000	0x7ff7b42bc000	0x7ff7b42bdfff	Private Memory	rw	-
private_0x00007ff7b42be000	0x7ff7b42be000	0x7ff7b42bffff	Private Memory	rw	-
cmd.exe	0x7ff7b50b0000	0x7ff7b5108fff	Memory Mapped File	rwx	-
kernelbase.dll	0x7ffb45670000	0x7ffb4584cfff	Memory Mapped File	rwx	-
kernel32.dll	0x7ffb45e10000	0x7ffb45ebcfff	Memory Mapped File	rwx	-
msvcrt.dll	0x7ffb48000000	0x7ffb4809cfff	Memory Mapped File	rwx	-
ntdll.dll	0x7ffb48180000	0x7ffb48341fff	Memory Mapped File	rwx	-

Threads

Thread 0x7e8

Category	Operation	Information	Count	Logfile
Module	Get Handle	module_name = c:\windows\system32\cmd.exe, base_address = 0x7ff7b50b0000	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x7ffb45e10000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetThreadUILanguage, address_out = 0x7ffb45e2d550	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	3	Fn
File	Open	filename = STD_INPUT_HANDLE	2	Fn
Environment	Get Environment String	-	2	Fn Data
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data = 64, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 64, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data = 9, type = REG_NONE	1	Fn
Module	Get Filename	process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Environment	Get Environment String	name = PROMPT	1	Fn
Environment	Set Environment String	name = PROMPT, value = $P$G	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Get Environment String	name = COMSPEC, result_out = C:\Windows\system32\cmd.exe	1	Fn
Environment	Get Environment String	name = KEYS	1	Fn
File	Get Info	filename = C:\Windows\system32, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32, type = file_attributes	1	Fn
Environment	Set Environment String	name = =C:, value = C:\Windows\System32	1	Fn
Environment	Get Environment String	-	1	Fn Data
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x7ffb45e10000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CopyFileExW, address_out = 0x7ffb45e325e0	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = IsDebuggerPresent, address_out = 0x7ffb45e31f90	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetConsoleInputExeNameW, address_out = 0x7ffb456c3a10	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	3	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin1, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = size	1	Fn
File	Read	filename = STD_OUTPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Get Info	filename = reg.exe, type = file_attributes	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Process	Create	process_name = C:\Windows\system32\reg.exe, os_pid = 0x534, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL	1	Fn
Environment	Set Environment String	name = COPYCMD	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Set Environment String	name = =ExitCode, value = 00000000	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Set Environment String	name = =ExitCodeAscii	1	Fn
Environment	Get Environment String	-	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn

Process #43: reg.exe

6517

Information	Value
ID	#43
File Name	c:\windows\system32\reg.exe
Command Line	reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:03:37, Reason: Child Process
Unmonitor	End Time: 00:03:41, Reason: Self Terminated
Monitor Duration	00:00:04

OS Process Information

Information	Value
PID	0x534
Parent PID	0xb6c (c:\windows\system32\cmd.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 840 0x 1A4

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	r	-
private_0x000000e909710000	0xe909710000	0xe90972ffff	Private Memory	rw	-
pagefile_0x000000e909710000	0xe909710000	0xe90971ffff	Pagefile Backed Memory	rw	-
private_0x000000e909720000	0xe909720000	0xe909726fff	Private Memory	rw	-
pagefile_0x000000e909730000	0xe909730000	0xe909743fff	Pagefile Backed Memory	r	-
private_0x000000e909750000	0xe909750000	0xe9097cffff	Private Memory	rw	-
pagefile_0x000000e9097d0000	0xe9097d0000	0xe9097d3fff	Pagefile Backed Memory	r	-
pagefile_0x000000e9097e0000	0xe9097e0000	0xe9097e0fff	Pagefile Backed Memory	r	-
private_0x000000e9097f0000	0xe9097f0000	0xe9097f1fff	Private Memory	rw	-
locale.nls	0xe909800000	0xe9098bdfff	Memory Mapped File	r	-
private_0x000000e9098c0000	0xe9098c0000	0xe9098c6fff	Private Memory	rw	-
private_0x000000e9098d0000	0xe9098d0000	0xe9099cffff	Private Memory	rw	-
private_0x000000e9099d0000	0xe9099d0000	0xe909a4ffff	Private Memory	rw	-
private_0x000000e909c10000	0xe909c10000	0xe909c1ffff	Private Memory	rw	-
sortdefault.nls	0xe909c20000	0xe909f56fff	Memory Mapped File	r	-
pagefile_0x00007df5ff120000	0x7df5ff120000	0x7ff5ff11ffff	Pagefile Backed Memory	-	-
pagefile_0x00007ff75d010000	0x7ff75d010000	0x7ff75d10ffff	Pagefile Backed Memory	r	-
pagefile_0x00007ff75d110000	0x7ff75d110000	0x7ff75d132fff	Pagefile Backed Memory	r	-
private_0x00007ff75d133000	0x7ff75d133000	0x7ff75d133fff	Private Memory	rw	-
private_0x00007ff75d13c000	0x7ff75d13c000	0x7ff75d13dfff	Private Memory	rw	-
private_0x00007ff75d13e000	0x7ff75d13e000	0x7ff75d13ffff	Private Memory	rw	-
reg.exe	0x7ff75d930000	0x7ff75d985fff	Memory Mapped File	rwx	-
kernelbase.dll	0x7ffb45670000	0x7ffb4584cfff	Memory Mapped File	rwx	-
sechost.dll	0x7ffb45ac0000	0x7ffb45b1afff	Memory Mapped File	rwx	-
rpcrt4.dll	0x7ffb45b20000	0x7ffb45c45fff	Memory Mapped File	rwx	-
ws2_32.dll	0x7ffb45da0000	0x7ffb45e08fff	Memory Mapped File	rwx	-
kernel32.dll	0x7ffb45e10000	0x7ffb45ebcfff	Memory Mapped File	rwx	-
nsi.dll	0x7ffb47e20000	0x7ffb47e27fff	Memory Mapped File	rwx	-
advapi32.dll	0x7ffb47e30000	0x7ffb47ed5fff	Memory Mapped File	rwx	-
msvcrt.dll	0x7ffb48000000	0x7ffb4809cfff	Memory Mapped File	rwx	-
ntdll.dll	0x7ffb48180000	0x7ffb48341fff	Memory Mapped File	rwx	-

Threads

Thread 0x840

6517

Category	Operation	Information	Count	Logfile
Module	Get Handle	module_name = c:\windows\system32\reg.exe, base_address = 0x7ff75d930000	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager, value_name = SystemComponent, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager, value_name = SystemComponent, data = 1	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService, value_name = DisplayName, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService, value_name = DisplayName, data = Mozilla Maintenance Service	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService, value_name = UninstallString, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService, value_name = UninstallString, data = "C:\Program Files (x86)\Mozilla Maintenance Service\uninstall.exe"	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService, value_name = DisplayIcon, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService, value_name = DisplayIcon, data = C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe,0	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService, value_name = DisplayVersion, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService, value_name = DisplayVersion, data = 53.0.3	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService, value_name = Publisher, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService, value_name = Publisher, data = Mozilla	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService, value_name = Comments, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService, value_name = Comments, data = Mozilla Maintenance Service	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService, value_name = NoModify, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService, value_name = NoModify, data = 1	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService, value_name = EstimatedSize, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService, value_name = EstimatedSize, data = 426	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProjectProRetail - en-us	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProjectProRetail - en-us	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProjectProRetail - en-us	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProjectProRetail - en-us, value_name = UninstallString, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProjectProRetail - en-us, value_name = UninstallString, data = "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" scenario=install scenariosubtype=ARP sourcetype=None productstoremove=ProjectProRetail.16_en-us_x-none culture=en-us version.16=16.0	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProjectProRetail - en-us	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProjectProRetail - en-us, value_name = ModifyPath, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProjectProRetail - en-us, value_name = ModifyPath, data = "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" scenario=repair platform=x64 culture=en-us	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProjectProRetail - en-us	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProjectProRetail - en-us, value_name = NoRepair, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProjectProRetail - en-us, value_name = NoRepair, data = 0	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProjectProRetail - en-us	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProjectProRetail - en-us, value_name = NoRemove, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProjectProRetail - en-us, value_name = NoRemove, data = 0	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProjectProRetail - en-us	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProjectProRetail - en-us, value_name = NoModify, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProjectProRetail - en-us, value_name = NoModify, data = 0	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProjectProRetail - en-us	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProjectProRetail - en-us, value_name = DisplayIcon, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProjectProRetail - en-us, value_name = DisplayIcon, data = C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProjectProRetail - en-us	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProjectProRetail - en-us, value_name = DisplayName, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProjectProRetail - en-us, value_name = DisplayName, data = Microsoft Project Professional 2016 - en-us	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProjectProRetail - en-us	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProjectProRetail - en-us, value_name = DisplayVersion, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProjectProRetail - en-us, value_name = DisplayVersion, data = 16.0.10228.20134	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProjectProRetail - en-us	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProjectProRetail - en-us, value_name = Publisher, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProjectProRetail - en-us, value_name = Publisher, data = Microsoft Corporation	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProjectProRetail - en-us	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProjectProRetail - en-us, value_name = InstallLocation, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProjectProRetail - en-us, value_name = InstallLocation, data = C:\Program Files\Microsoft Office	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProjectProRetail - en-us	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProjectProRetail - en-us, value_name = ClickToRunComponent, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProjectProRetail - en-us, value_name = ClickToRunComponent, data = 1	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProjectProRetail - en-us	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us, value_name = UninstallString, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us, value_name = UninstallString, data = "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" scenario=install scenariosubtype=ARP sourcetype=None productstoremove=ProPlusRetail.16_en-us_x-none culture=en-us version.16=16.0	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us, value_name = ModifyPath, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us, value_name = ModifyPath, data = "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" scenario=repair platform=x64 culture=en-us	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us, value_name = NoRepair, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us, value_name = NoRepair, data = 0	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us, value_name = NoRemove, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us, value_name = NoRemove, data = 0	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us, value_name = NoModify, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us, value_name = NoModify, data = 0	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us, value_name = DisplayIcon, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us, value_name = DisplayIcon, data = C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us, value_name = DisplayName, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us, value_name = DisplayName, data = Microsoft Office Professional Plus 2016 - en-us	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us, value_name = DisplayVersion, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us, value_name = DisplayVersion, data = 16.0.10228.20134	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us, value_name = Publisher, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us, value_name = Publisher, data = Microsoft Corporation	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us, value_name = InstallLocation, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us, value_name = InstallLocation, data = C:\Program Files\Microsoft Office	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us, value_name = ClickToRunComponent, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us, value_name = ClickToRunComponent, data = 1	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VisioProRetail - en-us	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VisioProRetail - en-us	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VisioProRetail - en-us	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VisioProRetail - en-us, value_name = UninstallString, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VisioProRetail - en-us, value_name = UninstallString, data = "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" scenario=install scenariosubtype=ARP sourcetype=None productstoremove=VisioProRetail.16_en-us_x-none culture=en-us version.16=16.0	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VisioProRetail - en-us	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VisioProRetail - en-us, value_name = ModifyPath, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VisioProRetail - en-us, value_name = ModifyPath, data = "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" scenario=repair platform=x64 culture=en-us	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VisioProRetail - en-us	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VisioProRetail - en-us, value_name = NoRepair, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VisioProRetail - en-us, value_name = NoRepair, data = 0	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VisioProRetail - en-us	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VisioProRetail - en-us, value_name = NoRemove, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VisioProRetail - en-us, value_name = NoRemove, data = 0	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VisioProRetail - en-us	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VisioProRetail - en-us, value_name = NoModify, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VisioProRetail - en-us, value_name = NoModify, data = 0	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VisioProRetail - en-us	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VisioProRetail - en-us, value_name = DisplayIcon, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VisioProRetail - en-us, value_name = DisplayIcon, data = C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VisioProRetail - en-us	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VisioProRetail - en-us, value_name = DisplayName, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VisioProRetail - en-us, value_name = DisplayName, data = Microsoft Visio Professional 2016 - en-us	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VisioProRetail - en-us	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VisioProRetail - en-us, value_name = DisplayVersion, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VisioProRetail - en-us, value_name = DisplayVersion, data = 16.0.10228.20134	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VisioProRetail - en-us	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VisioProRetail - en-us, value_name = Publisher, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VisioProRetail - en-us, value_name = Publisher, data = Microsoft Corporation	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VisioProRetail - en-us	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VisioProRetail - en-us, value_name = InstallLocation, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VisioProRetail - en-us, value_name = InstallLocation, data = C:\Program Files\Microsoft Office	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VisioProRetail - en-us	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VisioProRetail - en-us, value_name = ClickToRunComponent, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VisioProRetail - en-us, value_name = ClickToRunComponent, data = 1	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VisioProRetail - en-us	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC, value_name = NoRemove, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC, value_name = NoRemove, data = 1	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}, value_name = AuthorizedCDFPrefix, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}, value_name = AuthorizedCDFPrefix	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}, value_name = Comments, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}, value_name = Comments, data = Caution. Removing this product might prevent some applications from running.	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}, value_name = Contact, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}, value_name = Contact	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}, value_name = DisplayVersion, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}, value_name = DisplayVersion, data = 10.0.40219	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}, value_name = HelpLink, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}, value_name = HelpLink, data = http://go.microsoft.com/fwlink/?LinkId=146008	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}, value_name = HelpTelephone, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}, value_name = HelpTelephone	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}, value_name = InstallDate, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}, value_name = InstallDate, data = 20170524	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}, value_name = InstallLocation, type = REG_NONE	1	Fn
For performance reasons, the remaining 5486 entries are omitted. The remaining entries can be found in glog.xml.

Process #44: cmd.exe

Information	Value
ID	#44
File Name	c:\windows\system32\cmd.exe
Command Line	cmd /C "echo -------- >> C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin1"
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:03:40, Reason: Child Process
Unmonitor	End Time: 00:03:41, Reason: Self Terminated
Monitor Duration	00:00:01

OS Process Information

Information	Value
PID	0x8ec
Parent PID	0x824 (c:\windows\explorer.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x F0 0x 630

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	r	-
private_0x0000008917eb0000	0x8917eb0000	0x8917ecffff	Private Memory	rw	-
pagefile_0x0000008917eb0000	0x8917eb0000	0x8917ebffff	Pagefile Backed Memory	rw	-
private_0x0000008917ec0000	0x8917ec0000	0x8917ec6fff	Private Memory	rw	-
pagefile_0x0000008917ed0000	0x8917ed0000	0x8917ee3fff	Pagefile Backed Memory	r	-
private_0x0000008917ef0000	0x8917ef0000	0x8917feffff	Private Memory	rw	-
pagefile_0x0000008917ff0000	0x8917ff0000	0x8917ff3fff	Pagefile Backed Memory	r	-
pagefile_0x0000008918000000	0x8918000000	0x8918000fff	Pagefile Backed Memory	r	-
private_0x0000008918010000	0x8918010000	0x8918011fff	Private Memory	rw	-
locale.nls	0x8918020000	0x89180ddfff	Memory Mapped File	r	-
private_0x00000089180e0000	0x89180e0000	0x89181dffff	Private Memory	rw	-
private_0x00000089181e0000	0x89181e0000	0x89182dffff	Private Memory	rw	-
private_0x00000089182e0000	0x89182e0000	0x89182e6fff	Private Memory	rw	-
private_0x0000008918340000	0x8918340000	0x891834ffff	Private Memory	rw	-
pagefile_0x00007df5ff2f0000	0x7df5ff2f0000	0x7ff5ff2effff	Pagefile Backed Memory	-	-
pagefile_0x00007ff7b4580000	0x7ff7b4580000	0x7ff7b467ffff	Pagefile Backed Memory	r	-
pagefile_0x00007ff7b4680000	0x7ff7b4680000	0x7ff7b46a2fff	Pagefile Backed Memory	r	-
private_0x00007ff7b46a8000	0x7ff7b46a8000	0x7ff7b46a8fff	Private Memory	rw	-
private_0x00007ff7b46ac000	0x7ff7b46ac000	0x7ff7b46adfff	Private Memory	rw	-
private_0x00007ff7b46ae000	0x7ff7b46ae000	0x7ff7b46affff	Private Memory	rw	-
cmd.exe	0x7ff7b50b0000	0x7ff7b5108fff	Memory Mapped File	rwx	-
kernelbase.dll	0x7ffb45670000	0x7ffb4584cfff	Memory Mapped File	rwx	-
kernel32.dll	0x7ffb45e10000	0x7ffb45ebcfff	Memory Mapped File	rwx	-
msvcrt.dll	0x7ffb48000000	0x7ffb4809cfff	Memory Mapped File	rwx	-
ntdll.dll	0x7ffb48180000	0x7ffb48341fff	Memory Mapped File	rwx	-

Threads

Thread 0xf0

Category	Operation	Information	Count	Logfile
Module	Get Handle	module_name = c:\windows\system32\cmd.exe, base_address = 0x7ff7b50b0000	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x7ffb45e10000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetThreadUILanguage, address_out = 0x7ffb45e2d550	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	3	Fn
File	Open	filename = STD_INPUT_HANDLE	2	Fn
Environment	Get Environment String	-	2	Fn Data
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data = 64, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 64, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data = 9, type = REG_NONE	1	Fn
Module	Get Filename	process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Environment	Get Environment String	name = PROMPT	1	Fn
Environment	Set Environment String	name = PROMPT, value = $P$G	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Get Environment String	name = COMSPEC, result_out = C:\Windows\system32\cmd.exe	1	Fn
Environment	Get Environment String	name = KEYS	1	Fn
File	Get Info	filename = C:\Windows\system32, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32, type = file_attributes	1	Fn
Environment	Set Environment String	name = =C:, value = C:\Windows\System32	1	Fn
Environment	Get Environment String	-	1	Fn Data
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x7ffb45e10000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CopyFileExW, address_out = 0x7ffb45e325e0	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = IsDebuggerPresent, address_out = 0x7ffb45e31f90	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetConsoleInputExeNameW, address_out = 0x7ffb456c3a10	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	3	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin1, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = size	1	Fn
File	Read	filename = STD_OUTPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 11	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn

Process #46: cmd.exe

1498

Information	Value
ID	#46
File Name	c:\windows\system32\cmd.exe
Command Line	cmd /U /C "type C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin1 > C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin & del C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin1"
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:03:40, Reason: Child Process
Unmonitor	End Time: 00:03:44, Reason: Self Terminated
Monitor Duration	00:00:04

OS Process Information

Information	Value
PID	0x3ac
Parent PID	0x824 (c:\windows\explorer.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 274 0x 2E4

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	r	-
private_0x000000b0c84f0000	0xb0c84f0000	0xb0c850ffff	Private Memory	rw	-
pagefile_0x000000b0c84f0000	0xb0c84f0000	0xb0c84fffff	Pagefile Backed Memory	rw	-
private_0x000000b0c8500000	0xb0c8500000	0xb0c8506fff	Private Memory	rw	-
pagefile_0x000000b0c8510000	0xb0c8510000	0xb0c8523fff	Pagefile Backed Memory	r	-
private_0x000000b0c8530000	0xb0c8530000	0xb0c862ffff	Private Memory	rw	-
pagefile_0x000000b0c8630000	0xb0c8630000	0xb0c8633fff	Pagefile Backed Memory	r	-
pagefile_0x000000b0c8640000	0xb0c8640000	0xb0c8640fff	Pagefile Backed Memory	r	-
private_0x000000b0c8650000	0xb0c8650000	0xb0c8651fff	Private Memory	rw	-
locale.nls	0xb0c8660000	0xb0c871dfff	Memory Mapped File	r	-
private_0x000000b0c8720000	0xb0c8720000	0xb0c8726fff	Private Memory	rw	-
private_0x000000b0c8760000	0xb0c8760000	0xb0c876ffff	Private Memory	rw	-
private_0x000000b0c8780000	0xb0c8780000	0xb0c887ffff	Private Memory	rw	-
private_0x000000b0c8880000	0xb0c8880000	0xb0c897ffff	Private Memory	rw	-
pagefile_0x00007df5ff080000	0x7df5ff080000	0x7ff5ff07ffff	Pagefile Backed Memory	-	-
pagefile_0x00007ff7b4510000	0x7ff7b4510000	0x7ff7b460ffff	Pagefile Backed Memory	r	-
pagefile_0x00007ff7b4610000	0x7ff7b4610000	0x7ff7b4632fff	Pagefile Backed Memory	r	-
private_0x00007ff7b4633000	0x7ff7b4633000	0x7ff7b4633fff	Private Memory	rw	-
private_0x00007ff7b463c000	0x7ff7b463c000	0x7ff7b463dfff	Private Memory	rw	-
private_0x00007ff7b463e000	0x7ff7b463e000	0x7ff7b463ffff	Private Memory	rw	-
cmd.exe	0x7ff7b50b0000	0x7ff7b5108fff	Memory Mapped File	rwx	-
kernelbase.dll	0x7ffb45670000	0x7ffb4584cfff	Memory Mapped File	rwx	-
kernel32.dll	0x7ffb45e10000	0x7ffb45ebcfff	Memory Mapped File	rwx	-
msvcrt.dll	0x7ffb48000000	0x7ffb4809cfff	Memory Mapped File	rwx	-
ntdll.dll	0x7ffb48180000	0x7ffb48341fff	Memory Mapped File	rwx	-

Created Files

Filename	File Size	Hash Values	YARA Match	Actions
C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin	96.51 KB	MD5: a240089d327a1ebcc458c2c3161ee815 SHA1: de0c1f991cf15d6ff79b174f42651b6c4a8e2305 SHA256: 4a241e7a91d186287d30587253964c6b198c275abfef770107b5078178188c89 SSDeep: 3072:sgvF/8qnVg5BbE78GLZOWPqaNi3Uw3fwGJeXAdpcpmXJrK9xQYRIS32mjktPfzAa:qT		... File Actions Show Properties Download
C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin1	48.25 KB	MD5: c892049fc102a30285e8b98aa4c6b1e5 SHA1: 6c619c97f5ef82c3d2f5623534fadded48a4648c SHA256: 90eb06e686edc493e6c9ca57b9b71897d27e904a8efafb6046154fff2c84f4c1 SSDeep: 1536:Q1hlEd+kcUOYbi7x12MaiPz9jAr/ESZtlA8YkFNfBYk2:QPqYk2		... File Actions Show Properties Download

Threads

Thread 0x274

1498

Category	Operation	Information	Count	Logfile
Module	Get Handle	module_name = c:\windows\system32\cmd.exe, base_address = 0x7ff7b50b0000	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x7ffb45e10000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetThreadUILanguage, address_out = 0x7ffb45e2d550	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	3	Fn
File	Open	filename = STD_INPUT_HANDLE	2	Fn
Environment	Get Environment String	-	2	Fn Data
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data = 64, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 64, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data = 9, type = REG_NONE	1	Fn
Module	Get Filename	process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Environment	Get Environment String	name = PROMPT	1	Fn
Environment	Set Environment String	name = PROMPT, value = $P$G	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Get Environment String	name = COMSPEC, result_out = C:\Windows\system32\cmd.exe	1	Fn
Environment	Get Environment String	name = KEYS	1	Fn
File	Get Info	filename = C:\Windows\system32, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32, type = file_attributes	1	Fn
Environment	Set Environment String	name = =C:, value = C:\Windows\System32	1	Fn
Environment	Get Environment String	-	1	Fn Data
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x7ffb45e10000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CopyFileExW, address_out = 0x7ffb45e325e0	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = IsDebuggerPresent, address_out = 0x7ffb45e31f90	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetConsoleInputExeNameW, address_out = 0x7ffb456c3a10	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	3	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin1, type = file_attributes	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin1, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Open	-	1	Fn
File	Get Info	type = file_type	1	Fn
File	Open	-	1	Fn
File	Get Info	type = size, size_out = 0	1	Fn
File	Open	-	2	Fn
File	Read	size = 512, size_out = 512	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 64	1	Fn Data
File	Open	-	2	Fn
File	Read	size = 512, size_out = 512	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 64	1	Fn Data
File	Open	-	2	Fn
File	Read	size = 512, size_out = 512	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 64	1	Fn Data
File	Open	-	2	Fn
File	Read	size = 512, size_out = 512	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 64	1	Fn Data
File	Open	-	2	Fn
File	Read	size = 512, size_out = 512	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 64	1	Fn Data
File	Open	-	2	Fn
File	Read	size = 512, size_out = 512	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 64	1	Fn Data
File	Open	-	2	Fn
File	Read	size = 512, size_out = 512	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 64	1	Fn Data
File	Open	-	2	Fn
File	Read	size = 512, size_out = 512	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 64	1	Fn Data
File	Open	-	2	Fn
File	Read	size = 512, size_out = 512	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 64	1	Fn Data
File	Open	-	2	Fn
File	Read	size = 512, size_out = 512	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 64	1	Fn Data
File	Open	-	2	Fn
File	Read	size = 512, size_out = 512	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 64	1	Fn Data
File	Open	-	2	Fn
File	Read	size = 512, size_out = 512	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 64	1	Fn Data
File	Open	-	2	Fn
File	Read	size = 512, size_out = 512	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 64	1	Fn Data
File	Open	-	2	Fn
File	Read	size = 512, size_out = 512	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 64	1	Fn Data
File	Open	-	2	Fn
File	Read	size = 512, size_out = 512	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 64	1	Fn Data
File	Open	-	2	Fn
File	Read	size = 512, size_out = 512	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 64	1	Fn Data
File	Open	-	2	Fn
File	Read	size = 512, size_out = 512	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 64	1	Fn Data
File	Open	-	2	Fn
File	Read	size = 512, size_out = 512	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 64	1	Fn Data
File	Open	-	2	Fn
File	Read	size = 512, size_out = 512	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 64	1	Fn Data
File	Open	-	2	Fn
File	Read	size = 512, size_out = 512	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 64	1	Fn Data
File	Open	-	2	Fn
File	Read	size = 512, size_out = 512	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 64	1	Fn Data
File	Open	-	2	Fn
File	Read	size = 512, size_out = 512	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 64	1	Fn Data
File	Open	-	2	Fn
File	Read	size = 512, size_out = 512	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 64	1	Fn Data
File	Open	-	2	Fn
File	Read	size = 512, size_out = 512	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 64	1	Fn Data
File	Open	-	2	Fn
File	Read	size = 512, size_out = 512	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 64	1	Fn Data
File	Open	-	2	Fn
File	Read	size = 512, size_out = 512	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 64	1	Fn Data
File	Open	-	2	Fn
File	Read	size = 512, size_out = 512	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 64	1	Fn Data
File	Open	-	2	Fn
File	Read	size = 512, size_out = 512	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 64	1	Fn Data
File	Open	-	2	Fn
File	Read	size = 512, size_out = 512	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 64	1	Fn Data
File	Open	-	2	Fn
File	Read	size = 512, size_out = 512	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
For performance reasons, the remaining 250 entries are omitted. The remaining entries can be found in glog.xml.

Process #49: makecab.exe

Information	Value
ID	#49
File Name	c:\windows\system32\makecab.exe
Command Line	makecab.exe /F "C:\Users\CIIHMN~1\AppData\Local\Temp\D0C5.bin"
Initial Working Directory	C:\Users\CIIHMN~1\AppData\Local\Temp\
Monitor	Start Time: 00:03:42, Reason: Child Process
Unmonitor	End Time: 00:03:44, Reason: Self Terminated
Monitor Duration	00:00:02

OS Process Information

Information	Value
PID	0xa4c
Parent PID	0x824 (c:\windows\explorer.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x BFC 0x B18

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	r	-
private_0x000000fa10720000	0xfa10720000	0xfa1073ffff	Private Memory	rw	-
pagefile_0x000000fa10720000	0xfa10720000	0xfa1072ffff	Pagefile Backed Memory	rw	-
private_0x000000fa10730000	0xfa10730000	0xfa10736fff	Private Memory	rw	-
pagefile_0x000000fa10740000	0xfa10740000	0xfa10753fff	Pagefile Backed Memory	r	-
private_0x000000fa10760000	0xfa10760000	0xfa107dffff	Private Memory	rw	-
pagefile_0x000000fa107e0000	0xfa107e0000	0xfa107e3fff	Pagefile Backed Memory	r	-
pagefile_0x000000fa107f0000	0xfa107f0000	0xfa107f1fff	Pagefile Backed Memory	r	-
private_0x000000fa10800000	0xfa10800000	0xfa10801fff	Private Memory	rw	-
private_0x000000fa10810000	0xfa10810000	0xfa10816fff	Private Memory	rw	-
private_0x000000fa10820000	0xfa10820000	0xfa10820fff	Private Memory	rw	-
private_0x000000fa10830000	0xfa10830000	0xfa1092ffff	Private Memory	rw	-
locale.nls	0xfa10930000	0xfa109edfff	Memory Mapped File	r	-
private_0x000000fa109f0000	0xfa109f0000	0xfa10a6ffff	Private Memory	rw	-
private_0x000000fa10a70000	0xfa10a70000	0xfa10a70fff	Private Memory	rw	-
tzres.dll	0xfa10a80000	0xfa10a82fff	Memory Mapped File	r	-
tzres.dll.mui	0xfa10a90000	0xfa10a98fff	Memory Mapped File	r	-
private_0x000000fa10b60000	0xfa10b60000	0xfa10b6ffff	Private Memory	rw	-
pagefile_0x000000fa10b70000	0xfa10b70000	0xfa10cf7fff	Pagefile Backed Memory	r	-
pagefile_0x000000fa10d00000	0xfa10d00000	0xfa10e80fff	Pagefile Backed Memory	r	-
pagefile_0x000000fa10e90000	0xfa10e90000	0xfa1228ffff	Pagefile Backed Memory	r	-
private_0x000000fa12290000	0xfa12290000	0xfa1238ffff	Private Memory	rw	-
pagefile_0x00007df5fffc0000	0x7df5fffc0000	0x7ff5fffbffff	Pagefile Backed Memory	-	-
pagefile_0x00007ff7819e0000	0x7ff7819e0000	0x7ff781adffff	Pagefile Backed Memory	r	-
pagefile_0x00007ff781ae0000	0x7ff781ae0000	0x7ff781b02fff	Pagefile Backed Memory	r	-
private_0x00007ff781b09000	0x7ff781b09000	0x7ff781b09fff	Private Memory	rw	-
private_0x00007ff781b0c000	0x7ff781b0c000	0x7ff781b0dfff	Private Memory	rw	-
private_0x00007ff781b0e000	0x7ff781b0e000	0x7ff781b0ffff	Private Memory	rw	-
makecab.exe	0x7ff781df0000	0x7ff781e09fff	Memory Mapped File	rwx	-
version.dll	0x7ffb3d3b0000	0x7ffb3d3b9fff	Memory Mapped File	rwx	-
cabinet.dll	0x7ffb3e540000	0x7ffb3e566fff	Memory Mapped File	rwx	-
kernelbase.dll	0x7ffb45670000	0x7ffb4584cfff	Memory Mapped File	rwx	-
user32.dll	0x7ffb45c50000	0x7ffb45d9dfff	Memory Mapped File	rwx	-
kernel32.dll	0x7ffb45e10000	0x7ffb45ebcfff	Memory Mapped File	rwx	-
imm32.dll	0x7ffb46070000	0x7ffb460a5fff	Memory Mapped File	rwx	-
gdi32.dll	0x7ffb460c0000	0x7ffb46244fff	Memory Mapped File	rwx	-
msctf.dll	0x7ffb462d0000	0x7ffb4642bfff	Memory Mapped File	rwx	-
msvcrt.dll	0x7ffb48000000	0x7ffb4809cfff	Memory Mapped File	rwx	-
ntdll.dll	0x7ffb48180000	0x7ffb48341fff	Memory Mapped File	rwx	-

Created Files

Filename	File Size	Hash Values	Actions
C:\Users\CIIHMN~1\AppData\Local\Temp\cab_2636_6	0.02 KB	MD5: decf6c06fb2e267da61dff136ea369be SHA1: 84cf4aadf1d8051186620896d3f10ccea1402887 SHA256: 3cff9def1c500018c81d532ab55279b08260b82c409bd4a002896c8175d73a0d SSDeep: 3:ylKKln:ylKKln	... File Actions Show Properties Download
setup.inf	0.92 KB	MD5: 6ff1b2f7e7ca141fb1f71463403c9e8e SHA1: e01ef8a40fb4edb46e7c4af8c278ea3058900d5c SHA256: e0a7fe9243c4c4374d6ecbd0fb982919f43ee86ba6d46d2d70535faa1b720b2e SSDeep: 12:QxncDimwRL+pLnsP2neJheI5Hx28IncDimwRL+pLnhIv:QF8vwIpLn02nKhesHx2l8vwIpLnw	... File Actions Show Properties Download
C:\Users\CIIHMN~1\AppData\Local\Temp\4D82\FE41.tmp	0.00 KB	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 SSDeep: 3::	... File Actions Show Properties
C:\Users\CIIHMN~1\AppData\Local\Temp\cab_2636_5	9.07 KB	MD5: 528ff10108faa49e56f70293bf226450 SHA1: 0effb7ca1be6d0ae75f81ec439f241732300a759 SHA256: 4f405a8d1bad5189d60adb3bed9e2fd69fd8903ce27ae092ca6f89aebe387dfd SSDeep: 192:xzPaOMbXgR4kuLfQMOfbC1cpW4Zk498gigTCiShihXt:/Mbc5VMOfbCGsKH8AtShiht	... File Actions Show Properties Download
setup.rpt	0.28 KB	MD5: ddb1b807b6d49362c7e8a28fa2cc5cd8 SHA1: 0ca5e654afd9d847245c8055026c1233a7bd4b1c SHA256: 9c4aac67c2b09d1e3ac39edca6279daf953370634bb61bddc3bdb3606ac66226 SSDeep: 6:vgqGpf6g/ukCObSmVKQBu0iwac/hQzQTlFIP:vOphXC+SmVBDiw3JXk	... File Actions Show Properties Download
C:\Users\CIIHMN~1\AppData\Local\Temp\inf_2120_2	0.02 KB	MD5: 4230347e5849e9c7230227a287ae4a41 SHA1: a3fa042694dc86f05973ac07231c95cf590d606a SHA256: 2484fa669042204d83d907de45012a2aef7f6687613ce76169097240415b0abd SSDeep: 3:R0qxv:Rf	... File Actions Show Properties Download
C:\Users\CIIHMN~1\AppData\Local\Temp\inf_2636_3	0.03 KB	MD5: b0304cd94811263bf9a2e5881eb0ca66 SHA1: b22bfa271e0bcb0071f38de41a47173bea2af7ac SHA256: 23efcb202017c92f50d33fe1b2043147d87fbf18a4b8107825c50ebfaadaeb50 SSDeep: 3:NLBoKTsKy:ZeKT5y	... File Actions Show Properties Download
C:\Users\CIIHMN~1\AppData\Local\Temp\cab_2636_7	9.07 KB	MD5: 0e37735d8665fc514dd41d5ad9c63801 SHA1: fa1dfb9198afed2b80de5e6de894915b527c42d3 SHA256: 685d237aa1808b9430f27a4c31a2222d9218dc630a1dac63484512f9bba3ab34 SSDeep: 192:dzPaOMbXgR4kuLfQMOfbC1cpW4Zk498gigTAiShihXt:jMbc5VMOfbCGsKH8ArShiht	... File Actions Show Properties Download
C:\Users\CIIHMN~1\AppData\Local\Temp\cab_2636_9	0.01 KB	MD5: 9f69799c453769d6e3c832d6d02c614f SHA1: 96a05ff9e89f75904d023143cb84a85a13eedf98 SHA256: 49343ffd86917455d1a41b670f9136c5c920ff4dde5094ca6ae07015ca42048e SSDeep: 3:Oln:Oln	... File Actions Show Properties Download
C:\Users\CIIHMN~1\AppData\Local\Temp\D969.bin	9.14 KB	MD5: fcc8a196f218abd00dfa9f954d85747a SHA1: fae1291da862aaaf1cabde958fcaf4503025ed4e SHA256: 37001a6b2bf3872df263960be59d99d9f3d38aa30583ef16e3244d9ce29cee60 SSDeep: 192:WzPaOMbXgR4kuLfQMOfbC1cpW4Zk498gigTAiShihXt:SMbc5VMOfbCGsKH8ArShiht	... File Actions Show Properties Download
C:\Users\CIIHMN~1\AppData\Local\Temp\inf_2636_4	0.03 KB	MD5: fae16a9e78e1e2a0282d8dca387d8786 SHA1: da1cb06dc20adf7e7d79809ef2d52c0122ba2c8e SHA256: b66f6ca27cba4c5cffde0a2e09b6f5f21c344af7e9644803eb5127507264acba SSDeep: 3:dJgVRl2UOJRxyn:dq52UOJRgn	... File Actions Show Properties Download

Threads

Thread 0xbfc

Category	Operation	Information	Count	Logfile
Module	Get Handle	module_name = c:\windows\system32\makecab.exe, base_address = 0x7ff781df0000	1	Fn
System	Get Info	type = Operating System	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x7ffb45e10000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = HeapSetInformation, address_out = 0x7ffb45e30f40	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\D0C5.bin, file_attributes = _O_EXCL	1	Fn
File	Read	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\D0C5.bin, size = 3	1	Fn Data
File	Read	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\D0C5.bin, size = 4096	1	Fn Data
File	Create	filename = CAB02636.TMP, file_attributes = _O_RDWR, _O_CREAT, _O_EXCL	1	Fn
File	Create	filename = setup.inf, file_attributes = _O_RDWR, _O_CREAT	1	Fn
File	Create	filename = CAB02636.TMP, file_attributes = _O_RDWR, _O_CREAT, _O_EXCL	1	Fn
File	Create	filename = setup.rpt, file_attributes = _O_RDWR, _O_CREAT	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\inf_2636_2, file_attributes = _O_WRONLY	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\inf_2636_3, file_attributes = _O_WRONLY	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\inf_2636_4, file_attributes = _O_WRONLY	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\D0C5.bin, file_attributes = _O_EXCL	1	Fn
File	Read	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\D0C5.bin, size = 3	1	Fn Data
File	Read	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\D0C5.bin, size = 4096	1	Fn Data
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\CAB02636.TMP, file_attributes = _O_RDWR, _O_CREAT, _O_EXCL	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\cab_2636_5, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_DELETE	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\cab_2636_6, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_DELETE	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\cab_2636_7, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_DELETE	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\cab_2636_8, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_DELETE	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\cab_2636_9, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_DELETE	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin, type = file_attributes	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE	1	Fn
File	Read	size = 32768	1	Fn Data
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\CAB02636.TMP, size = 8	1	Fn Data
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\CAB02636.TMP, size = 7894	1	Fn Data
File	Read	size = 32768	1	Fn Data
File	Read	size = 16124	1	Fn
File	Write	size = 16	1	Fn Data
File	Write	size = 9	1	Fn Data
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\CAB02636.TMP, size = 8	1	Fn Data
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\CAB02636.TMP, size = 1381	1	Fn Data
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\cab_2636_10, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_DELETE	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\cab_2636_11, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_DELETE	1	Fn
File	Read	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\CAB02636.TMP, size = 8	1	Fn Data
File	Read	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\CAB02636.TMP, size = 7894	1	Fn Data
File	Write	size = 8	1	Fn Data
File	Write	size = 7894	1	Fn Data
File	Read	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\CAB02636.TMP, size = 8	1	Fn Data
File	Read	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\CAB02636.TMP, size = 1381	1	Fn Data
File	Write	size = 8	1	Fn Data
File	Write	size = 1381	1	Fn Data
File	Read	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\CAB02636.TMP, size = 8	1	Fn
File	Write	size = 8	1	Fn Data
File	Read	size = 16	1	Fn Data
File	Read	size = 256	1	Fn Data
File	Write	size = 16	1	Fn Data
File	Write	size = 9	1	Fn Data
File	Read	size = 16	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\D969.bin, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_DELETE	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\CAB02636.TMP, size = 36	1	Fn Data
File	Read	size = 8	1	Fn Data
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\CAB02636.TMP, size = 8	1	Fn Data
File	Read	size = 8	1	Fn
File	Read	size = 32768	1	Fn Data
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\CAB02636.TMP, size = 25	1	Fn Data
File	Read	size = 32768	1	Fn
File	Read	size = 32768	1	Fn Data
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\CAB02636.TMP, size = 9291	1	Fn Data
File	Read	size = 32768	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\CAB02636.TMP, size = 4	1	Fn Data
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\cab_2636_12, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_DELETE	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\cab_2636_13, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_DELETE	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\cab_2636_14, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_DELETE	1	Fn
File	Create	filename = setup.inf, file_attributes = _O_WRONLY \| _O_BINARY	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\inf_2636_2, file_attributes = _O_RDONLY \| _O_BINARY	1	Fn
File	Read	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\inf_2636_2, size = 2048, size_out = 23	1	Fn Data
File	Write	filename = setup.inf, size = 23	1	Fn Data
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\inf_2636_3, file_attributes = _O_RDONLY \| _O_BINARY	1	Fn
File	Read	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\inf_2636_3, size = 2048, size_out = 30	1	Fn Data
File	Write	filename = setup.inf, size = 30	1	Fn Data
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\inf_2636_4, file_attributes = _O_RDONLY \| _O_BINARY	1	Fn
File	Read	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\inf_2636_4, size = 2048, size_out = 33	1	Fn Data
File	Write	filename = setup.inf, size = 33	1	Fn Data
File	Create	filename = setup.rpt, file_attributes = _O_WRONLY	1	Fn

Notifications (2/3)

Monitored Processes

Behavior Information - Sequential View

Before

After